Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Programs crashing and Regedit closes


  • Please log in to reply

#1
Slapnut

Slapnut

    Member

  • Member
  • PipPip
  • 10 posts
I have been experiencing this problem for about 2 days now. When I run programs as normal they work for about 5 minutes, maybe sometimes less, before crashing completely. I opened Regedit but it closes in under a second. I read a guide on here somewhere that said I needed to run Brute Force Uninstaller then AVG Anti-Spyware. I did this but I still had the problem. I then tried to run HijackThis but low and behold, it crashed. So I booted into safe mode and ran HijackThis from there. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 13:49:08, on 08/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Josh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wrestlezone.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
F3 - REG:win.ini: load=C:\WINDOWS\system32\ijbxluu\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\ijbxluu\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308E6~1\Bar888.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308E6~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C44 Series (Copy 1)" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\system32\dlg\ctfmon.exe
O4 - HKLM\..\Run: [SvcHost] svshost.exe
O4 - HKLM\..\Run: [winpol] C:\WINDOWS\system32\winpol.exe
O4 - HKLM\..\RunServices: [SvcHost] svshost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4638cb014cef46768c3a1c7395401bf0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4638cb014cef46768c3a1c7395401bf0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINDOWS\system32\winpol.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Slapnut, 08 April 2007 - 06:54 AM.

  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ijbxluu
    C:\PROGRA~1\COMMON~1\{308E6~1
    C:\WINDOWS\system32\winpol.exe
    c:\documents and settings\Josh\start menu\programs\startup\winlogon.lnk


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

After the reboot

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
Slapnut

Slapnut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
"Josh" - 07-04-08 17:22:53 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Josh\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 ))))))))))))))))))))))))))))))))))


2007-04-08 12:48 <DIR> d-------- C:\bintheredunthat
2007-04-08 12:38 37,750 --a------ C:\avnt04.exe
2007-04-08 12:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 11:34 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\vlc
2007-04-08 11:33 <DIR> d-------- C:\Program Files\VideoLAN
2007-04-07 22:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-04-07 15:47 <DIR> d-------- C:\PULP_FCsssssss
2007-04-07 15:16 <DIR> d-------- C:\PULP_FC
2007-04-07 13:09 <DIR> d-------- C:\PULP_FICTION
2007-04-07 12:19 <DIR> d-------- C:\Program Files\Azureus
2007-04-07 11:20 87,608 --a------ C:\DOCUME~1\Josh\APPLIC~1\ezpinst.exe
2007-04-07 11:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-04-07 11:20 47,360 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.sys
2007-04-07 11:20 <DIR> d-------- C:\Program Files\vso
2007-04-07 11:20 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Vso
2007-04-07 00:50 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\ImgBurn
2007-04-07 00:48 <DIR> d-------- C:\Program Files\ImgBurn
2007-04-07 00:07 <DIR> d-------- C:\Program Files\OpenVideoJoiner
2007-04-06 23:41 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Ahead
2007-04-06 23:35 <DIR> d-------- C:\Program Files\Nero
2007-04-06 23:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-04-06 23:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-06 23:33 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-04-06 22:53 196,608 --a------ C:\wavupdate.exe
2007-04-06 22:53 <DIR> d--h----- C:\WINDOWS\system32\drivirs
2007-04-06 13:50 <DIR> d-------- C:\DOCUME~1\Nigel\APPLIC~1\WinRAR
2007-04-06 12:19 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-04-05 16:43 <DIR> d-------- C:\Program Files\DVDx
2007-04-05 16:35 10,646 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-05 16:34 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\dvdcss
2007-04-05 16:25 <DIR> d-------- C:\Program Files\NO1 DVD Ripper
2007-04-05 15:04 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-05 15:04 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-05 15:04 <DIR> d-------- C:\Program Files\Xvid
2007-04-05 14:38 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2007-04-05 11:02 <DIR> d-------- C:\Program Files\Super DVD Creator 9.25.0
2007-04-04 19:24 <DIR> d-------- C:\Program Files\Audacity
2007-04-02 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-02 17:46 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\AdobeUM
2007-04-01 16:08 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-03-28 19:42 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-03-27 22:08 <DIR> d-------- C:\DOCUME~1\Nigel\APPLIC~1\AdobeUM
2007-03-27 17:38 <DIR> d-------- C:\Program Files\dvdSanta
2007-03-27 17:29 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Canopus
2007-03-27 17:05 93,423 --a------ C:\WINDOWS\system32\svshost.exe
2007-03-27 16:55 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-03-27 16:55 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-03-27 16:55 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-03-27 16:55 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-03-27 16:55 <DIR> d-------- C:\Program Files\Cucusoft
2007-03-26 20:43 2,368 --a------ C:\WINDOWS\system32\SVKP.sys
2007-03-26 20:43 <DIR> d-------- C:\WINDOWS\system32\dlg
2007-03-25 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-03-25 20:25 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\uTorrent
2007-03-25 14:25 <DIR> d-------- C:\Program Files\Lx_cats
2007-03-25 14:24 98,304 --a------ C:\WINDOWS\system32\lxcfinsr.dll
2007-03-25 14:24 704,512 --a------ C:\WINDOWS\system32\lxcfcomc.dll
2007-03-25 14:24 65,536 -ra------ C:\WINDOWS\system32\lxcfcfg.dll
2007-03-25 14:24 491,520 --a------ C:\WINDOWS\system32\lxcfcoms.exe
2007-03-25 14:24 483,328 --a------ C:\WINDOWS\system32\lxcflmpm.dll
2007-03-25 14:24 413,696 --a------ C:\WINDOWS\system32\lxcfcomm.dll
2007-03-25 14:24 401,408 --a------ C:\WINDOWS\system32\lxcfutil.dll
2007-03-25 14:24 40,960 --a------ C:\WINDOWS\system32\lxcfvs.dll
2007-03-25 14:24 372,736 --a------ C:\WINDOWS\system32\lxcfih.exe
2007-03-25 14:24 172,032 --a------ C:\WINDOWS\system32\lxcfinsb.dll
2007-03-25 14:24 155,648 --a------ C:\WINDOWS\system32\lxcfprox.dll
2007-03-25 14:24 131,072 --a------ C:\WINDOWS\system32\lxcfins.dll
2007-03-25 14:24 126,976 --a------ C:\WINDOWS\system32\lxcfjswr.dll
2007-03-25 14:24 114,688 --a------ C:\WINDOWS\system32\lxcfpplc.dll
2007-03-25 14:24 1,183,744 --a------ C:\WINDOWS\system32\lxcfserv.dll
2007-03-25 14:24 1,134,592 --a------ C:\WINDOWS\system32\lxcfusb1.dll
2007-03-25 14:23 983,121 --a------ C:\WINDOWS\system32\lxcfgf.dll
2007-03-25 14:23 86,016 --a------ C:\WINDOWS\system32\lxcfcub.dll
2007-03-25 14:23 73,728 --a------ C:\WINDOWS\system32\lxcfcu.dll
2007-03-25 14:23 36,864 --a------ C:\WINDOWS\system32\lxcfcur.dll
2007-03-25 14:23 <DIR> d-------- C:\Program Files\Lexmark 730 Series
2007-03-24 15:04 <DIR> d-------- C:\Program Files\download-mediasoft.com
2007-03-21 16:43 <DIR> d-------- C:\Program Files\Easy Video Joiner
2007-03-18 21:57 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-03-18 21:57 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-03-18 21:53 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Elaborate Bytes
2007-03-18 21:52 <DIR> d-------- C:\Program Files\Elaborate Bytes
2007-03-18 21:50 5,061,763 --a------ C:\WINDOWS\SetupCloneDVD2.exe
2007-03-18 21:39 <DIR> d-------- C:\Program Files\DVD Shrink
2007-03-18 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-03-18 18:54 <DIR> d-------- C:\Program Files\Video Convert Master
2007-03-16 22:02 <DIR> d-------- C:\DOCUME~1\Nigel\Contacts
2007-03-14 19:27 972,336 --a------ C:\WINDOWS\UNRecode.exe
2007-03-14 19:20 133,168 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-03-14 19:20 11,568 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-03-14 19:19 972,336 --a------ C:\WINDOWS\UNNeroBackItUp.exe
2007-03-14 19:19 95,864 --a------ C:\WINDOWS\system32\NeroCo.dll
2007-03-14 17:42 <DIR> d-------- C:\Program Files\LIUtilities
2007-03-12 22:59 8 -r-hs---- C:\WINDOWS\system32\7A3754D650.dll
2007-03-12 22:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-03-12 19:22 <DIR> d-------- C:\Program Files\Wordshark 3s
2007-03-12 17:57 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-03-12 17:32 <DIR> d-------- C:\Program Files\IDA
2007-03-12 17:32 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Internet Download Accelerator
2007-03-12 13:51 972,336 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-03-11 10:45 <DIR> d-------- C:\DOCUME~1\Nigel\APPLIC~1\Adobe
2007-03-08 21:55 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Apple Computer
2007-03-08 21:54 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-03-08 21:54 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-03-08 21:54 <DIR> d-------- C:\Program Files\QuickTime
2007-03-08 21:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-08 21:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-03-08 21:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-08 21:52 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-03-08 21:52 <DIR> d-------- C:\Program Files\iPod
2007-03-08 20:42 <DIR> d-------- C:\WINDOWS\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-08 13:44 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-07 12:23 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\azureus
2007-04-07 11:20 34 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.log
2007-04-07 11:20 1144 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.inf
2007-04-07 11:20 1074 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.cat
2007-04-05 23:18 85 ---hs---- C:\DOCUME~1\Josh\APPLIC~1\.zreglib
2007-04-02 21:15 284 --a------ C:\DOCUME~1\Josh\APPLIC~1\viewerapp.dat
2007-04-01 16:06 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 16:30 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-03-14 17:47 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-12 22:55 -------- d-------- C:\Program Files\epson
2007-03-08 20:42 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 21:54 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\help
2007-03-07 21:33 -------- d-------- C:\Program Files\Common Files\epson
2007-03-06 18:33 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\template
2007-03-06 15:50 1101824 --a------ C:\WINDOWS\system32\nmsdvdxu.dll
2007-03-04 17:08 -------- d-------- C:\Program Files\avisynth 2.5
2007-03-03 00:21 -------- d-------- C:\Program Files\power mp3 wma converter
2007-03-03 00:13 -------- d-------- C:\Program Files\nch swift sound
2007-02-28 20:53 972336 --a------ C:\WINDOWS\unnerovision.exe
2007-02-28 15:41 972336 --a------ C:\WINDOWS\unneroshowtime.exe
2007-02-24 18:34 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\opera
2007-02-23 14:42 -------- d-------- C:\Program Files\erightsoft
2007-02-23 14:27 -------- d-------- C:\Program Files\Common Files\swf studio
2007-02-20 22:51 -------- d-------- C:\Program Files\google
2007-02-19 21:25 -------- d-------- C:\Program Files\ares
2007-02-19 21:07 -------- d-------- C:\Program Files\java
2007-02-19 20:05 -------- d-------- C:\Program Files\bearshare applications
2007-02-19 18:26 -------- d-------- C:\Program Files\sony corporation
2007-02-19 18:26 -------- d-------- C:\Program Files\Common Files\muvee technologies
2007-02-19 14:07 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\google
2007-02-18 19:50 -------- d-------- C:\Program Files\divx
2007-02-18 16:42 -------- d-------- C:\Program Files\final draft 7
2007-02-18 13:34 -------- d-------- C:\Program Files\winamp
2007-02-18 01:52 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\final draft
2007-02-18 01:51 -------- d-------- C:\Program Files\final draft tagger
2007-02-18 00:27 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\winrar
2007-02-17 18:15 -------- d-------- C:\Program Files\mgtweak
2007-02-17 14:48 -------- d-------- C:\Program Files\messenger
2007-02-17 12:26 -------- d-------- C:\Program Files\msxml 4.0
2007-02-16 23:30 -------- d-------- C:\Program Files\Common Files\nullsoft
2007-02-16 23:30 -------- d-------- C:\Program Files\aol companion
2007-02-16 18:13 -------- d-------- C:\Program Files\symantec
2007-02-16 18:12 -------- d-------- C:\Program Files\symnetdrv
2007-02-16 17:59 -------- d-------- C:\Program Files\windows live toolbar
2007-02-16 17:57 -------- d-------- C:\Program Files\msn messenger
2007-02-16 16:48 -------- d-------- C:\Program Files\voyagertest
2007-02-16 16:48 -------- d-------- C:\Program Files\Common Files\ftl shared
2007-02-16 16:47 -------- d-------- C:\Program Files\bt voyager 105 adsl modem
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Internet Download Accelerator"="C:\\Program Files\\IDA\\ida.exe -autorun"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"EPSON Stylus C44 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P32 \"EPSON Stylus C44 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C44\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LXCFCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,[email protected]"
"ctfmon"="C:\\WINDOWS\\system32\\dlg\\ctfmon.exe"
"SvcHost"="svshost.exe"
"winpol"="C:\\WINDOWS\\system32\\winpol.exe"
"cftmon"="C:\\WINDOWS\\system32\\WindowsUpdate.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SvcHost"="svshost.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

Stack overflow


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
bthsvcs REG_MULTI_SZ BthServ\



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [3356]

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]????
cftmon = C:\WINDOWS\system32\WindowsUpdate.exe??????????????????????????????????????????????????????????????????
scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-08 17:26:17
C:\ComboFix-quarantined-files.txt ... 07-04-08 17:26
C:\ComboFix2.txt ... 07-04-08 17:14

Edited by loophole, 08 April 2007 - 11:29 AM.

  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Can you post a Hijack log now, or is it still closing? If you can please post it while I go through the log
  • 0

#5
Slapnut

Slapnut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:32:24, on 08/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Josh\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wrestlezone.com/
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C44 Series (Copy 1)" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\system32\dlg\ctfmon.exe
O4 - HKLM\..\Run: [SvcHost] svshost.exe
O4 - HKLM\..\Run: [winpol] C:\WINDOWS\system32\winpol.exe
O4 - HKLM\..\RunServices: [SvcHost] svshost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4638cb014cef46768c3a1c7395401bf0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4638cb014cef46768c3a1c7395401bf0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINDOWS\system32\winpol.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | cftmon
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices | SvcHost
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | winpol
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | SvcHost
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | cftmon
Files to delete:
C:\WINDOWS\system32\WindowsUpdate.exe
C:\wavupdate.exe
C:\WINDOWS\system32\svshost.exe
C:\avnt04.exe
C:\WINDOWS\system32\winpol.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


Also after the reboot,

Please go *here and in the "Browse to the file you want to submit:" box, copy and paste the following line in

C:\avenger\backup.zip

Then click the send file button. ( you can fill out the rest of the info if you wish but its not important)
  • 0

#7
Slapnut

Slapnut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rbwcykvm

*******************

Script file located at: \??\C:\Documents and Settings\omjxluxp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\WindowsUpdate.exe not found!
Deletion of file C:\WINDOWS\system32\WindowsUpdate.exe failed!

Could not process line:
C:\WINDOWS\system32\WindowsUpdate.exe
Status: 0xc0000034

File C:\wavupdate.exe deleted successfully.
File C:\WINDOWS\system32\svshost.exe deleted successfully.
File C:\avnt04.exe deleted successfully.


File C:\WINDOWS\system32\winpol.exe not found!
Deletion of file C:\WINDOWS\system32\winpol.exe failed!

Could not process line:
C:\WINDOWS\system32\winpol.exe
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|cftmon deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|SvcHost deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|winpol deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|SvcHost deleted successfully.


Could not delete registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|cftmon
Deletion of registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|cftmon failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1
Scan saved at 19:17:08, on 08/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Josh\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wrestlezone.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C44 Series (Copy 1)" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\system32\dlg\ctfmon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?4638cb014cef46768c3a1c7395401bf0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?4638cb014cef46768c3a1c7395401bf0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINDOWS\system32\winpol.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks for all this help by the way.
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Your welcome for the help :whistling:

Please run combofix again and post the corresponding log.
  • 0

#9
Slapnut

Slapnut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
"Josh" - 07-04-08 19:38:57 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Josh\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 ))))))))))))))))))))))))))))))))))


2007-04-08 19:11 <DIR> d-------- C:\avenger
2007-04-08 12:48 <DIR> d-------- C:\bintheredunthat
2007-04-08 12:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 11:34 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\vlc
2007-04-08 11:33 <DIR> d-------- C:\Program Files\VideoLAN
2007-04-07 22:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-04-07 15:47 <DIR> d-------- C:\PULP_FCsssssss
2007-04-07 15:16 <DIR> d-------- C:\PULP_FC
2007-04-07 13:09 <DIR> d-------- C:\PULP_FICTION
2007-04-07 12:19 <DIR> d-------- C:\Program Files\Azureus
2007-04-07 11:20 87,608 --a------ C:\DOCUME~1\Josh\APPLIC~1\ezpinst.exe
2007-04-07 11:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-04-07 11:20 47,360 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.sys
2007-04-07 11:20 <DIR> d-------- C:\Program Files\vso
2007-04-07 11:20 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Vso
2007-04-07 00:50 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\ImgBurn
2007-04-07 00:48 <DIR> d-------- C:\Program Files\ImgBurn
2007-04-07 00:07 <DIR> d-------- C:\Program Files\OpenVideoJoiner
2007-04-06 23:41 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Ahead
2007-04-06 23:35 <DIR> d-------- C:\Program Files\Nero
2007-04-06 23:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-04-06 23:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-06 23:33 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-04-06 22:53 <DIR> d--h----- C:\WINDOWS\system32\drivirs
2007-04-06 13:50 <DIR> d-------- C:\DOCUME~1\Nigel\APPLIC~1\WinRAR
2007-04-06 12:19 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-04-05 16:43 <DIR> d-------- C:\Program Files\DVDx
2007-04-05 16:35 10,646 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-05 16:34 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\dvdcss
2007-04-05 16:25 <DIR> d-------- C:\Program Files\NO1 DVD Ripper
2007-04-05 15:04 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-05 15:04 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-05 15:04 <DIR> d-------- C:\Program Files\Xvid
2007-04-05 14:38 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2007-04-05 11:02 <DIR> d-------- C:\Program Files\Super DVD Creator 9.25.0
2007-04-04 19:24 <DIR> d-------- C:\Program Files\Audacity
2007-04-02 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-02 17:46 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\AdobeUM
2007-04-01 16:08 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-03-28 19:42 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-03-27 22:08 <DIR> d-------- C:\DOCUME~1\Nigel\APPLIC~1\AdobeUM
2007-03-27 17:38 <DIR> d-------- C:\Program Files\dvdSanta
2007-03-27 17:29 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Canopus
2007-03-27 16:55 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-03-27 16:55 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-03-27 16:55 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-03-27 16:55 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-03-27 16:55 <DIR> d-------- C:\Program Files\Cucusoft
2007-03-26 20:43 2,368 --a------ C:\WINDOWS\system32\SVKP.sys
2007-03-26 20:43 <DIR> d-------- C:\WINDOWS\system32\dlg
2007-03-25 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-03-25 20:25 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\uTorrent
2007-03-25 14:25 <DIR> d-------- C:\Program Files\Lx_cats
2007-03-25 14:24 98,304 --a------ C:\WINDOWS\system32\lxcfinsr.dll
2007-03-25 14:24 704,512 --a------ C:\WINDOWS\system32\lxcfcomc.dll
2007-03-25 14:24 65,536 -ra------ C:\WINDOWS\system32\lxcfcfg.dll
2007-03-25 14:24 491,520 --a------ C:\WINDOWS\system32\lxcfcoms.exe
2007-03-25 14:24 483,328 --a------ C:\WINDOWS\system32\lxcflmpm.dll
2007-03-25 14:24 413,696 --a------ C:\WINDOWS\system32\lxcfcomm.dll
2007-03-25 14:24 401,408 --a------ C:\WINDOWS\system32\lxcfutil.dll
2007-03-25 14:24 40,960 --a------ C:\WINDOWS\system32\lxcfvs.dll
2007-03-25 14:24 372,736 --a------ C:\WINDOWS\system32\lxcfih.exe
2007-03-25 14:24 172,032 --a------ C:\WINDOWS\system32\lxcfinsb.dll
2007-03-25 14:24 155,648 --a------ C:\WINDOWS\system32\lxcfprox.dll
2007-03-25 14:24 131,072 --a------ C:\WINDOWS\system32\lxcfins.dll
2007-03-25 14:24 126,976 --a------ C:\WINDOWS\system32\lxcfjswr.dll
2007-03-25 14:24 114,688 --a------ C:\WINDOWS\system32\lxcfpplc.dll
2007-03-25 14:24 1,183,744 --a------ C:\WINDOWS\system32\lxcfserv.dll
2007-03-25 14:24 1,134,592 --a------ C:\WINDOWS\system32\lxcfusb1.dll
2007-03-25 14:23 983,121 --a------ C:\WINDOWS\system32\lxcfgf.dll
2007-03-25 14:23 86,016 --a------ C:\WINDOWS\system32\lxcfcub.dll
2007-03-25 14:23 73,728 --a------ C:\WINDOWS\system32\lxcfcu.dll
2007-03-25 14:23 36,864 --a------ C:\WINDOWS\system32\lxcfcur.dll
2007-03-25 14:23 <DIR> d-------- C:\Program Files\Lexmark 730 Series
2007-03-24 15:04 <DIR> d-------- C:\Program Files\download-mediasoft.com
2007-03-21 16:43 <DIR> d-------- C:\Program Files\Easy Video Joiner
2007-03-18 21:57 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-03-18 21:57 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-03-18 21:53 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Elaborate Bytes
2007-03-18 21:52 <DIR> d-------- C:\Program Files\Elaborate Bytes
2007-03-18 21:50 5,061,763 --a------ C:\WINDOWS\SetupCloneDVD2.exe
2007-03-18 21:39 <DIR> d-------- C:\Program Files\DVD Shrink
2007-03-18 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-03-18 18:54 <DIR> d-------- C:\Program Files\Video Convert Master
2007-03-16 22:02 <DIR> d-------- C:\DOCUME~1\Nigel\Contacts
2007-03-14 19:27 972,336 --a------ C:\WINDOWS\UNRecode.exe
2007-03-14 19:20 133,168 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-03-14 19:20 11,568 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-03-14 19:19 972,336 --a------ C:\WINDOWS\UNNeroBackItUp.exe
2007-03-14 19:19 95,864 --a------ C:\WINDOWS\system32\NeroCo.dll
2007-03-14 17:42 <DIR> d-------- C:\Program Files\LIUtilities
2007-03-12 22:59 8 -r-hs---- C:\WINDOWS\system32\7A3754D650.dll
2007-03-12 22:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-03-12 19:22 <DIR> d-------- C:\Program Files\Wordshark 3s
2007-03-12 17:57 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-03-12 17:32 <DIR> d-------- C:\Program Files\IDA
2007-03-12 17:32 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Internet Download Accelerator
2007-03-12 13:51 972,336 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-03-11 10:45 <DIR> d-------- C:\DOCUME~1\Nigel\APPLIC~1\Adobe
2007-03-08 21:55 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Apple Computer
2007-03-08 21:54 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-03-08 21:54 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-03-08 21:54 <DIR> d-------- C:\Program Files\QuickTime
2007-03-08 21:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-08 21:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-03-08 21:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-08 21:52 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-03-08 21:52 <DIR> d-------- C:\Program Files\iPod
2007-03-08 20:42 <DIR> d-------- C:\WINDOWS\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-08 13:44 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-07 12:23 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\azureus
2007-04-07 11:20 34 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.log
2007-04-07 11:20 1144 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.inf
2007-04-07 11:20 1074 --a------ C:\DOCUME~1\Josh\APPLIC~1\pcouffin.cat
2007-04-05 23:18 85 ---hs---- C:\DOCUME~1\Josh\APPLIC~1\.zreglib
2007-04-02 21:15 284 --a------ C:\DOCUME~1\Josh\APPLIC~1\viewerapp.dat
2007-04-01 16:06 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 16:30 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-03-14 17:47 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-12 22:55 -------- d-------- C:\Program Files\epson
2007-03-08 20:42 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 21:54 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\help
2007-03-07 21:33 -------- d-------- C:\Program Files\Common Files\epson
2007-03-06 18:33 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\template
2007-03-06 15:50 1101824 --a------ C:\WINDOWS\system32\nmsdvdxu.dll
2007-03-04 17:08 -------- d-------- C:\Program Files\avisynth 2.5
2007-03-03 00:21 -------- d-------- C:\Program Files\power mp3 wma converter
2007-03-03 00:13 -------- d-------- C:\Program Files\nch swift sound
2007-02-28 20:53 972336 --a------ C:\WINDOWS\unnerovision.exe
2007-02-28 15:41 972336 --a------ C:\WINDOWS\unneroshowtime.exe
2007-02-24 18:34 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\opera
2007-02-23 14:42 -------- d-------- C:\Program Files\erightsoft
2007-02-23 14:27 -------- d-------- C:\Program Files\Common Files\swf studio
2007-02-20 22:51 -------- d-------- C:\Program Files\google
2007-02-19 21:25 -------- d-------- C:\Program Files\ares
2007-02-19 21:07 -------- d-------- C:\Program Files\java
2007-02-19 20:05 -------- d-------- C:\Program Files\bearshare applications
2007-02-19 18:26 -------- d-------- C:\Program Files\sony corporation
2007-02-19 18:26 -------- d-------- C:\Program Files\Common Files\muvee technologies
2007-02-19 14:07 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\google
2007-02-18 19:50 -------- d-------- C:\Program Files\divx
2007-02-18 16:42 -------- d-------- C:\Program Files\final draft 7
2007-02-18 13:34 -------- d-------- C:\Program Files\winamp
2007-02-18 01:52 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\final draft
2007-02-18 01:51 -------- d-------- C:\Program Files\final draft tagger
2007-02-18 00:27 -------- d-------- C:\DOCUME~1\Josh\APPLIC~1\winrar
2007-02-17 18:15 -------- d-------- C:\Program Files\mgtweak
2007-02-17 14:48 -------- d-------- C:\Program Files\messenger
2007-02-17 12:26 -------- d-------- C:\Program Files\msxml 4.0
2007-02-16 23:30 -------- d-------- C:\Program Files\Common Files\nullsoft
2007-02-16 23:30 -------- d-------- C:\Program Files\aol companion
2007-02-16 18:13 -------- d-------- C:\Program Files\symantec
2007-02-16 18:12 -------- d-------- C:\Program Files\symnetdrv
2007-02-16 17:59 -------- d-------- C:\Program Files\windows live toolbar
2007-02-16 17:57 -------- d-------- C:\Program Files\msn messenger
2007-02-16 16:48 -------- d-------- C:\Program Files\voyagertest
2007-02-16 16:48 -------- d-------- C:\Program Files\Common Files\ftl shared
2007-02-16 16:47 -------- d-------- C:\Program Files\bt voyager 105 adsl modem
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Internet Download Accelerator"="C:\\Program Files\\IDA\\ida.exe -autorun"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"EPSON Stylus C44 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P32 \"EPSON Stylus C44 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C44\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LXCFCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,[email protected]"
"ctfmon"="C:\\WINDOWS\\system32\\dlg\\ctfmon.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

Stack overflow


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
bthsvcs REG_MULTI_SZ BthServ\



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-08 19:42:30
C:\ComboFix-quarantined-files.txt ... 07-04-08 19:42
C:\ComboFix2.txt ... 07-04-08 17:26
C:\ComboFix3.txt ... 07-04-08 17:14
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Give me a couple minutes. Something is interfering with the registry output in combofix.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP