Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanDownloader.XS [RESOLVED]


  • This topic is locked This topic is locked

#1
bpg6688

bpg6688

    New Member

  • Member
  • Pip
  • 8 posts
Hi, I recently acquired this rather nasty bug that has managed to completely wreck my system. Along with the annoying popups informing me of a security threat, which lead me to a false download page, my task manager is disabled as well as a variety of other small malicious programs being installed.

So far I have used Ad-Aware and Spybot-Search and Destroy to try and rid myself of some of the baddies that have made it onto my system. However, that is all I have been able to do. My desktop is generally not functional. I can click and drag items as well as double click them but nothing happens.

I really hope that someone is able to help me. Thanks, in advance, for your time and effort. :)

Here is the Hijackthis log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:31 AM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [] "C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" .
O4 - HKCU\..\Run: [bpg6688] "C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" bpg6688
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [uK1OD0S2dH] rundll32.exe "C:\WINDOWS\exwluhcr.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196234744766
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196234734297
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O23 - Service: McAfee Application Installer Cleanup (0102851201918869) (0102851201918869mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Brian\LOCALS~1\Temp\010285~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8596 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the combofix log.

ComboFix 08-02.02.5 - Brian 2008-02-02 9:58:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1546 [GMT -8:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\gxyhersv.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\winperformance
C:\Program Files\winperformance\extensions\index.ext
C:\Program Files\winperformance\extensions\main.ldb
C:\Program Files\winperformance\extensions\main.mdb
C:\Program Files\winperformance\files\warn_bad.bmp
C:\Program Files\winperformance\files\warn_trusted.bmp
C:\Program Files\winperformance\files\warn_unknown.bmp
C:\Program Files\winperformance\registry_backup\2008.02.01 16.57.34.rb
C:\Program Files\winperformance\scan.archive
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\apefivml.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\uK1OD0S2dHwp.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\apiuser32.dll
C:\WINDOWS\system32\btexesrv.dllbox
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\hynyprny.dll
C:\WINDOWS\system32\ijbijqbm.dll
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\mbqjibji.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqxaxxqd.dll
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSUPDATE
-------\msupdate


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 00:16 . 2008-02-02 00:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 23:52 . 2008-02-01 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 23:52 . 2008-02-02 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 23:27 . 2008-02-01 23:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-01 23:27 . 2008-02-01 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:26 . 2008-02-02 10:01 7,777 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-01 18:22 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-01 18:22 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-01 18:22 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-01 18:21 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-01 18:18 . 2008-02-01 18:19 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-01 18:17 . 2008-02-02 09:51 <DIR> d-------- C:\Program Files\McAfee
2008-02-01 18:17 . 2008-02-01 18:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-01 18:11 . 2008-02-01 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-01 17:16 . 2008-02-01 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Program Files\ThreatFire
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-01 17:14 . 2007-12-20 11:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-02-01 17:14 . 2007-12-20 11:24 41,792 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 33,600 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-02-01 16:23 . 2008-02-01 16:23 <DIR> d-------- C:\WINDOWS\pvkebtff
2008-02-01 16:23 . 2008-02-01 16:23 151,552 --a------ C:\WINDOWS\exwluhcr.dll
2008-02-01 16:23 . 2008-02-01 16:23 89,617 --a------ C:\WINDOWS\system32\rxjddnvj.exe
2008-02-01 16:23 . 2008-02-01 16:23 89,617 --a------ C:\WINDOWS\kzaxcjgx.exe
2008-02-01 16:23 . 2008-02-01 16:23 54,764 --a------ C:\WINDOWS\system32\fnhoje
2008-02-01 16:23 . 2008-02-01 16:23 49,152 --a------ C:\WINDOWS\unwpatej.exe
2008-01-18 13:06 . 2008-01-18 13:37 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\FileZilla
2008-01-18 13:05 . 2008-01-18 13:05 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-01-18 12:48 . 2008-01-18 12:48 <DIR> d-------- C:\Program Files\FileZilla Server
2008-01-16 16:54 . 2008-01-25 15:46 <DIR> d-------- C:\Program Files\Xfire
2008-01-16 16:54 . 2008-02-02 09:57 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Xfire
2008-01-15 11:36 . 2008-02-01 17:05 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.BAK
2008-01-15 11:36 . 2008-02-02 10:02 30,912 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 10:02 30,912 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 10:02 30,120 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 10:02 30,120 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 10:02 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 10:02 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-15 11:36 . 2008-02-02 10:02 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-15 11:20 . 2008-02-01 17:05 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.CDF
2008-01-15 11:19 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2008-01-15 11:19 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-01-15 10:05 . 2008-01-15 10:06 <DIR> d-------- C:\WINDOWS\NV31362052.TMP
2008-01-15 10:04 . 2008-01-15 10:04 <DIR> d-------- C:\NVIDIA
2008-01-15 08:21 . 2008-01-15 08:21 <DIR> d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-01-15 08:21 . 2004-12-22 01:32 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-01-15 08:21 . 2004-12-22 01:32 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-01-15 08:21 . 2003-11-20 22:03 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-15 08:21 . 2005-03-04 03:13 71,520 --a------ C:\WINDOWS\system32\drivers\WMP54GS.inf
2008-01-15 08:21 . 2008-01-15 08:21 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-15 08:21 . 2005-03-07 11:50 7,986 --a------ C:\WINDOWS\system32\drivers\WMP54GS.cat
2008-01-15 08:21 . 2008-01-15 08:21 4,200 --a------ C:\WINDOWS\system32\WLAN.INI
2008-01-14 15:02 . 2007-06-28 08:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\bcm42rly.sys
2008-01-14 14:29 . 2008-01-14 14:29 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-01-10 20:30 . 2008-01-10 20:30 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Logitech
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Leadertech
2008-01-10 20:28 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-01-10 20:28 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-01-10 20:28 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-01-10 20:28 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-10 20:27 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2008-01-10 20:27 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-01-10 20:27 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-01-10 20:27 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2008-01-10 20:26 . 2008-01-10 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-10 16:30 . 2008-01-10 16:30 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-10 14:20 . 2008-02-01 13:43 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-09 15:14 . 2008-01-09 15:14 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-09 15:13 . 2008-01-09 15:13 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-08 10:29 . 2008-01-08 10:29 <DIR> d-------- C:\Program Files\Rainlendar2
2008-01-08 10:29 . 2008-02-02 09:53 <DIR> d-------- C:\Documents and Settings\Brian\.rainlendar2
2008-01-04 14:26 . 2008-01-04 14:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 07:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 00:33 --------- d-----w C:\Program Files\AIMTunes
2008-02-02 00:27 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-02 00:16 --------- d-----w C:\Program Files\Stardock
2008-02-02 00:16 --------- d-----w C:\Program Files\Common Files\Stardock
2008-02-01 22:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 21:42 --------- d-----w C:\Program Files\Steam
2008-01-31 04:15 --------- d-----w C:\Documents and Settings\Brian\Application Data\uTorrent
2008-01-29 01:09 --------- d-----w C:\Program Files\World of Warcraft
2008-01-18 19:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Apple Computer
2008-01-16 11:43 --------- d-----w C:\Program Files\Last.fm
2008-01-15 19:35 --------- d-----w C:\Program Files\Creative
2008-01-15 19:19 --------- d-----w C:\Documents and Settings\Brian\Application Data\Creative
2008-01-15 17:45 22,328 ----a-w C:\Documents and Settings\Brian\Application Data\PnkBstrK.sys
2008-01-15 15:46 --------- d-----w C:\Program Files\Trillian
2008-01-09 23:20 --------- d-----w C:\Documents and Settings\Brian\Application Data\Viewpoint
2008-01-09 23:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-09 23:19 --------- d-----w C:\Program Files\MAIET
2008-01-09 23:17 --------- d-----w C:\Program Files\Diablo II
2007-12-09 20:27 --------- d-----w C:\Program Files\Ventrilo
2007-12-05 09:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04bb0db4-27b4-4086-b6b4-2d010229786b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49EE4829-CC17-4E3E-8483-F6BC614F3BE1}]
C:\WINDOWS\system32\pmkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f869aa8-1dd2-11b2-88c8-cd778efea527}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}]
C:\Program Files\Helper\1201911954.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 10:31 1372160]
"bpg6688"="C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" [ ]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 02:23 1365504]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56 158208]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2007-12-20 11:13 1238336]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-02 00:28:37 106496]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-05-11 12:43:44 3450608]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-01-10 16:30:34 2872144]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-10 20:27:39 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"uK1OD0S2dH"= rundll32.exe "C:\WINDOWS\exwluhcr.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjiiig]
ljjiiig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxkufdsj]
mxkufdsj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9cffd297]
C:\WINDOWS\system32\ijbijqbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2005-09-23 21:30 483328 C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bpg6688]
C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 14:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drmsrv32]
C:\dcmqd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gxyhersv]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\gxyhersv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2006-01-24 09:38 147456 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-01 08:54 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2007-05-07 09:52 159744 C:\Program Files\Razer\Tarantula\razerhid.exe

R1 crdpkt;Cirond NDIS Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\crdpkt.sys [2004-12-03 15:34]
S3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 16:27]
S3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2007-04-11 15:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17b6712a-b30b-11db-9672-f0e9be2eefd5}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13162cb-b25e-11db-8e15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 01:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 02:20:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-02 02:20:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 10:03:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\exwluhcr.dll
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-02 10:06:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 18:06:10
.
2008-01-11 13:01:16 --- E O F ---
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\pvkebtff
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\kzaxcjgx.exe
C:\WINDOWS\system32\fnhoje
C:\WINDOWS\unwpatej.exe
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\system32\ijbijqbm.dll
C:\dcmqd.exe
C:\Documents and Settings\All Users\Application Data\gxyhersv.dll
E:\setup.exe
I:\LaunchU3.exe

Folder::
C:\Program Files\ZASystems Inc

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bpg6688]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drmsrv32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gxyhersv]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17b6712a-b30b-11db-9672-f0e9be2eefd5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13162cb-b25e-11db-8e15-806d6172696f}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#5
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Combofix Log -

ComboFix 08-02.02.5 - Brian 2008-02-02 11:09:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1568 [GMT -8:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\dcmqd.exe
C:\Documents and Settings\All Users\Application Data\gxyhersv.dll
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\kzaxcjgx.exe
C:\WINDOWS\pvkebtff
C:\WINDOWS\system32\fnhoje
C:\WINDOWS\system32\ijbijqbm.dll
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\unwpatej.exe
E:\setup.exe
I:\LaunchU3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fnhoje
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\kzaxcjgx.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\uK1OD0S2dHwp.exe
C:\WINDOWS\system32\fnhoje
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\unwpatej.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 00:16 . 2008-02-02 00:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 23:52 . 2008-02-01 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 23:52 . 2008-02-02 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 23:27 . 2008-02-01 23:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-01 23:27 . 2008-02-01 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:26 . 2008-02-02 11:10 7,911 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-01 18:22 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-01 18:22 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-01 18:22 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-01 18:21 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-01 18:18 . 2008-02-01 18:19 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-01 18:17 . 2008-02-02 09:51 <DIR> d-------- C:\Program Files\McAfee
2008-02-01 18:17 . 2008-02-01 18:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-01 18:11 . 2008-02-01 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-01 17:16 . 2008-02-01 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Program Files\ThreatFire
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-01 17:14 . 2007-12-20 11:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-02-01 17:14 . 2007-12-20 11:24 41,792 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 33,600 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-02-01 16:23 . 2008-02-01 16:23 <DIR> d-------- C:\WINDOWS\pvkebtff
2008-01-18 13:06 . 2008-01-18 13:37 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\FileZilla
2008-01-18 13:05 . 2008-01-18 13:05 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-01-18 12:48 . 2008-01-18 12:48 <DIR> d-------- C:\Program Files\FileZilla Server
2008-01-16 16:54 . 2008-01-25 15:46 <DIR> d-------- C:\Program Files\Xfire
2008-01-16 16:54 . 2008-02-02 11:09 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Xfire
2008-01-15 11:36 . 2008-02-01 17:05 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.BAK
2008-01-15 11:36 . 2008-02-02 11:10 30,912 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 11:10 30,912 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 11:10 30,120 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 11:10 30,120 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 11:10 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-02 11:10 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-15 11:36 . 2008-02-02 11:10 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-15 11:20 . 2008-02-01 17:05 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.CDF
2008-01-15 11:19 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2008-01-15 11:19 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-01-15 10:05 . 2008-01-15 10:06 <DIR> d-------- C:\WINDOWS\NV31362052.TMP
2008-01-15 10:04 . 2008-01-15 10:04 <DIR> d-------- C:\NVIDIA
2008-01-15 08:21 . 2008-01-15 08:21 <DIR> d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-01-15 08:21 . 2004-12-22 01:32 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-01-15 08:21 . 2004-12-22 01:32 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-01-15 08:21 . 2003-11-20 22:03 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-15 08:21 . 2005-03-04 03:13 71,520 --a------ C:\WINDOWS\system32\drivers\WMP54GS.inf
2008-01-15 08:21 . 2008-01-15 08:21 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-15 08:21 . 2005-03-07 11:50 7,986 --a------ C:\WINDOWS\system32\drivers\WMP54GS.cat
2008-01-15 08:21 . 2008-01-15 08:21 4,200 --a------ C:\WINDOWS\system32\WLAN.INI
2008-01-14 15:02 . 2007-06-28 08:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\bcm42rly.sys
2008-01-14 14:29 . 2008-01-14 14:29 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-01-10 20:30 . 2008-01-10 20:30 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Logitech
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Leadertech
2008-01-10 20:28 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-01-10 20:28 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-01-10 20:28 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-01-10 20:28 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-10 20:27 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2008-01-10 20:27 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-01-10 20:27 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-01-10 20:27 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2008-01-10 20:26 . 2008-01-10 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-10 16:30 . 2008-01-10 16:30 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-10 14:20 . 2008-02-01 13:43 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-09 15:14 . 2008-01-09 15:14 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-09 15:13 . 2008-01-09 15:13 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-08 10:29 . 2008-01-08 10:29 <DIR> d-------- C:\Program Files\Rainlendar2
2008-01-08 10:29 . 2008-02-02 10:04 <DIR> d-------- C:\Documents and Settings\Brian\.rainlendar2
2008-01-04 14:26 . 2008-01-04 14:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 07:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 00:33 --------- d-----w C:\Program Files\AIMTunes
2008-02-02 00:27 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-02 00:16 --------- d-----w C:\Program Files\Stardock
2008-02-02 00:16 --------- d-----w C:\Program Files\Common Files\Stardock
2008-02-01 22:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 21:42 --------- d-----w C:\Program Files\Steam
2008-01-31 04:15 --------- d-----w C:\Documents and Settings\Brian\Application Data\uTorrent
2008-01-29 01:09 --------- d-----w C:\Program Files\World of Warcraft
2008-01-18 19:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Apple Computer
2008-01-16 11:43 --------- d-----w C:\Program Files\Last.fm
2008-01-15 19:35 --------- d-----w C:\Program Files\Creative
2008-01-15 19:19 --------- d-----w C:\Documents and Settings\Brian\Application Data\Creative
2008-01-15 17:45 22,328 ----a-w C:\Documents and Settings\Brian\Application Data\PnkBstrK.sys
2008-01-15 15:46 --------- d-----w C:\Program Files\Trillian
2008-01-09 23:20 --------- d-----w C:\Documents and Settings\Brian\Application Data\Viewpoint
2008-01-09 23:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-09 23:19 --------- d-----w C:\Program Files\MAIET
2008-01-09 23:17 --------- d-----w C:\Program Files\Diablo II
2007-12-09 20:27 --------- d-----w C:\Program Files\Ventrilo
2007-12-05 09:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49EE4829-CC17-4E3E-8483-F6BC614F3BE1}]
C:\WINDOWS\system32\pmkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}]
C:\Program Files\Helper\1201911954.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 10:31 1372160]
"bpg6688"="C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" [ ]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 02:23 1365504]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56 158208]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2007-12-20 11:13 1238336]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-02 00:28:37 106496]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-05-11 12:43:44 3450608]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-01-10 16:30:34 2872144]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-10 20:27:39 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"uK1OD0S2dH"= rundll32.exe "C:\WINDOWS\exwluhcr.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjiiig]
ljjiiig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxkufdsj]
mxkufdsj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9cffd297]
C:\WINDOWS\system32\ijbijqbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2005-09-23 21:30 483328 C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 14:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2006-01-24 09:38 147456 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-01 08:54 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2007-05-07 09:52 159744 C:\Program Files\Razer\Tarantula\razerhid.exe

R1 crdpkt;Cirond NDIS Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\crdpkt.sys [2004-12-03 15:34]
S1 fnhoje;fnhoje;C:\WINDOWS\system32\fnhoje []
S3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 16:27]
S3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2007-04-11 15:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13162cb-b25e-11db-8e15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 01:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 02:20:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-02 02:20:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 11:12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-02 11:15:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 19:15:23
ComboFix2.txt 2008-02-02 18:06:13
.
2008-01-11 13:01:16 --- E O F ---


HJT -



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:16 AM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49EE4829-CC17-4E3E-8483-F6BC614F3BE1} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201911954.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9960] command /c del "C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8101] cmd /c del "C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2027] command /c del "C:\WINDOWS\system32\mxkufdsj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7250] cmd /c del "C:\WINDOWS\system32\mxkufdsj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9049] command /c del "C:\WINDOWS\system32\mxkufdsj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2860] cmd /c del "C:\WINDOWS\system32\mxkufdsj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2488] command /c del "C:\WINDOWS\system32\pmkji.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6247] cmd /c del "C:\WINDOWS\system32\pmkji.dll_old"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [bpg6688] "C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" bpg6688
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [uK1OD0S2dH] rundll32.exe "C:\WINDOWS\exwluhcr.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196234744766
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196234734297
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O20 - Winlogon Notify: ljjiiig - ljjiiig.dll (file missing)
O20 - Winlogon Notify: mxkufdsj - mxkufdsj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 9686 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {49EE4829-CC17-4E3E-8483-F6BC614F3BE1} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201911954.dll (file missing)
O4 - HKLM\..\RunOnce: [SpybotDeletingA9960] command /c del "C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8101] cmd /c del "C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2027] command /c del "C:\WINDOWS\system32\mxkufdsj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7250] cmd /c del "C:\WINDOWS\system32\mxkufdsj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9049] command /c del "C:\WINDOWS\system32\mxkufdsj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2860] cmd /c del "C:\WINDOWS\system32\mxkufdsj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2488] command /c del "C:\WINDOWS\system32\pmkji.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6247] cmd /c del "C:\WINDOWS\system32\pmkji.dll_old"
O4 - HKLM\..\Policies\Explorer\Run: [uK1OD0S2dH] rundll32.exe "C:\WINDOWS\exwluhcr.dll",DllCleanServer
O20 - Winlogon Notify: ljjiiig - ljjiiig.dll (file missing)
O20 - Winlogon Notify: mxkufdsj - mxkufdsj.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\system32\pmkji.dll_old
C:\WINDOWS\system32\mxkufdsj.dll_old
C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp

Folder::
C:\Program Files\Helper

Dirlook::
C:\WINDOWS\pvkebtff

Driver::
fnhoje


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#7
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:37 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [bpg6688] "C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" bpg6688
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196234744766
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196234734297
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 7738 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the ComboFix log as well
  • 0

#9
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-02.02.5 - Brian 2008-02-03 9:24:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1358 [GMT -8:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\system32\mxkufdsj.dll_old
C:\WINDOWS\system32\pmkji.dll_old
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 11:25 . 2008-02-02 11:25 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-02 00:16 . 2008-02-02 00:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 23:52 . 2008-02-01 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 23:52 . 2008-02-02 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 23:27 . 2008-02-01 23:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-01 23:27 . 2008-02-01 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:26 . 2008-02-03 09:25 8,649 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-01 18:22 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-01 18:22 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-01 18:22 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-01 18:21 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-01 18:18 . 2008-02-01 18:19 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-01 18:17 . 2008-02-02 09:51 <DIR> d-------- C:\Program Files\McAfee
2008-02-01 18:17 . 2008-02-01 18:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-01 18:11 . 2008-02-01 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-01 17:16 . 2008-02-01 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Program Files\ThreatFire
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-01 17:14 . 2007-12-20 11:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-02-01 17:14 . 2007-12-20 11:24 41,792 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 33,600 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-02-01 16:23 . 2008-02-01 16:23 <DIR> d-------- C:\WINDOWS\pvkebtff
2008-01-18 13:06 . 2008-01-18 13:37 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\FileZilla
2008-01-18 13:05 . 2008-01-18 13:05 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-01-18 12:48 . 2008-01-18 12:48 <DIR> d-------- C:\Program Files\FileZilla Server
2008-01-16 16:54 . 2008-01-25 15:46 <DIR> d-------- C:\Program Files\Xfire
2008-01-16 16:54 . 2008-02-03 09:22 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Xfire
2008-01-15 11:36 . 2008-02-01 17:05 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.BAK
2008-01-15 11:36 . 2008-02-03 09:26 30,912 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 30,912 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 30,120 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 30,120 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-15 11:36 . 2008-02-03 09:26 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-15 11:20 . 2008-02-01 17:05 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.CDF
2008-01-15 11:19 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2008-01-15 11:19 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-01-15 10:05 . 2008-01-15 10:06 <DIR> d-------- C:\WINDOWS\NV31362052.TMP
2008-01-15 10:04 . 2008-01-15 10:04 <DIR> d-------- C:\NVIDIA
2008-01-15 08:21 . 2008-01-15 08:21 <DIR> d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-01-15 08:21 . 2004-12-22 01:32 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-01-15 08:21 . 2004-12-22 01:32 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-01-15 08:21 . 2003-11-20 22:03 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-15 08:21 . 2005-03-04 03:13 71,520 --a------ C:\WINDOWS\system32\drivers\WMP54GS.inf
2008-01-15 08:21 . 2008-01-15 08:21 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-15 08:21 . 2005-03-07 11:50 7,986 --a------ C:\WINDOWS\system32\drivers\WMP54GS.cat
2008-01-15 08:21 . 2008-01-15 08:21 4,200 --a------ C:\WINDOWS\system32\WLAN.INI
2008-01-14 15:02 . 2007-06-28 08:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\bcm42rly.sys
2008-01-14 14:29 . 2008-01-14 14:29 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-01-10 20:30 . 2008-01-10 20:30 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Logitech
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Leadertech
2008-01-10 20:28 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-01-10 20:28 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-01-10 20:28 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-01-10 20:28 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-10 20:27 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2008-01-10 20:27 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-01-10 20:27 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-01-10 20:27 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2008-01-10 20:26 . 2008-01-10 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-10 16:30 . 2008-01-10 16:30 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-10 14:20 . 2008-02-01 13:43 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-09 15:14 . 2008-01-09 15:14 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-09 15:13 . 2008-01-09 15:13 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-08 10:29 . 2008-01-08 10:29 <DIR> d-------- C:\Program Files\Rainlendar2
2008-01-08 10:29 . 2008-02-02 11:13 <DIR> d-------- C:\Documents and Settings\Brian\.rainlendar2
2008-01-04 14:26 . 2008-01-04 14:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Creative

.
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post all of the ComboFix log then do this


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

  • 0

Advertisements


#11
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry about that I hadn't realized that I cut it off.



ComboFix 08-02.02.5 - Brian 2008-02-03 9:24:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1358 [GMT -8:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Brian\Local Settings\Temp\~DFA13F.tmp
C:\WINDOWS\exwluhcr.dll
C:\WINDOWS\system32\mxkufdsj.dll_old
C:\WINDOWS\system32\pmkji.dll_old
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 11:25 . 2008-02-02 11:25 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-02 00:16 . 2008-02-02 00:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 23:52 . 2008-02-01 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 23:52 . 2008-02-02 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 23:27 . 2008-02-01 23:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-01 23:27 . 2008-02-01 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:26 . 2008-02-03 09:25 8,649 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-01 18:22 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-01 18:22 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-01 18:22 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-01 18:22 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-01 18:21 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-01 18:18 . 2008-02-01 18:19 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-01 18:17 . 2008-02-02 09:51 <DIR> d-------- C:\Program Files\McAfee
2008-02-01 18:17 . 2008-02-01 18:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-01 18:11 . 2008-02-01 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-01 17:16 . 2008-02-01 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Program Files\ThreatFire
2008-02-01 17:14 . 2008-02-01 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-01 17:14 . 2007-12-20 11:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-02-01 17:14 . 2007-12-20 11:24 41,792 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 33,600 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-02-01 17:14 . 2007-12-20 11:13 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-02-01 16:23 . 2008-02-01 16:23 <DIR> d-------- C:\WINDOWS\pvkebtff
2008-01-18 13:06 . 2008-01-18 13:37 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\FileZilla
2008-01-18 13:05 . 2008-01-18 13:05 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-01-18 12:48 . 2008-01-18 12:48 <DIR> d-------- C:\Program Files\FileZilla Server
2008-01-16 16:54 . 2008-01-25 15:46 <DIR> d-------- C:\Program Files\Xfire
2008-01-16 16:54 . 2008-02-03 09:22 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Xfire
2008-01-15 11:36 . 2008-02-01 17:05 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.BAK
2008-01-15 11:36 . 2008-02-03 09:26 30,912 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 30,912 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 30,120 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 30,120 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-10031102}.rfx
2008-01-15 11:36 . 2008-02-03 09:26 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-01-15 11:36 . 2008-02-03 09:26 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-01-15 11:20 . 2008-02-01 17:05 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.CDF
2008-01-15 11:19 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2008-01-15 11:19 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-01-15 10:05 . 2008-01-15 10:06 <DIR> d-------- C:\WINDOWS\NV31362052.TMP
2008-01-15 10:04 . 2008-01-15 10:04 <DIR> d-------- C:\NVIDIA
2008-01-15 08:21 . 2008-01-15 08:21 <DIR> d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-01-15 08:21 . 2004-12-22 01:32 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-01-15 08:21 . 2004-12-22 01:32 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-01-15 08:21 . 2003-11-20 22:03 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-15 08:21 . 2005-03-04 03:13 71,520 --a------ C:\WINDOWS\system32\drivers\WMP54GS.inf
2008-01-15 08:21 . 2008-01-15 08:21 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-15 08:21 . 2005-03-07 11:50 7,986 --a------ C:\WINDOWS\system32\drivers\WMP54GS.cat
2008-01-15 08:21 . 2008-01-15 08:21 4,200 --a------ C:\WINDOWS\system32\WLAN.INI
2008-01-14 15:02 . 2007-06-28 08:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-01-14 14:47 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\bcm42rly.sys
2008-01-14 14:29 . 2008-01-14 14:29 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-01-14 13:52 . 2004-08-03 22:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-01-10 20:30 . 2008-01-10 20:30 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Logitech
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-01-10 20:29 . 2008-01-10 20:29 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Leadertech
2008-01-10 20:28 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-01-10 20:28 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-01-10 20:28 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-01-10 20:28 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-10 20:28 . 2008-01-10 20:28 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-01-10 20:27 . 2008-01-10 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-10 20:27 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2008-01-10 20:27 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-01-10 20:27 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-01-10 20:27 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2008-01-10 20:26 . 2008-01-10 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-10 16:30 . 2008-01-10 16:30 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-10 14:20 . 2008-02-01 13:43 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-09 15:14 . 2008-01-09 15:14 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-09 15:13 . 2008-01-09 15:13 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-08 10:29 . 2008-01-08 10:29 <DIR> d-------- C:\Program Files\Rainlendar2
2008-01-08 10:29 . 2008-02-02 11:13 <DIR> d-------- C:\Documents and Settings\Brian\.rainlendar2
2008-01-04 14:26 . 2008-01-04 14:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 07:18 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-02 23:22 --------- d-----w C:\Program Files\AIMTunes
2008-02-02 07:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 00:16 --------- d-----w C:\Program Files\Stardock
2008-02-02 00:16 --------- d-----w C:\Program Files\Common Files\Stardock
2008-02-01 22:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 21:42 --------- d-----w C:\Program Files\Steam
2008-01-31 04:15 --------- d-----w C:\Documents and Settings\Brian\Application Data\uTorrent
2008-01-29 01:09 --------- d-----w C:\Program Files\World of Warcraft
2008-01-18 19:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Apple Computer
2008-01-16 11:43 --------- d-----w C:\Program Files\Last.fm
2008-01-15 19:35 --------- d-----w C:\Program Files\Creative
2008-01-15 19:19 --------- d-----w C:\Documents and Settings\Brian\Application Data\Creative
2008-01-15 17:45 22,328 ----a-w C:\Documents and Settings\Brian\Application Data\PnkBstrK.sys
2008-01-15 15:46 --------- d-----w C:\Program Files\Trillian
2008-01-09 23:20 --------- d-----w C:\Documents and Settings\Brian\Application Data\Viewpoint
2008-01-09 23:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-09 23:19 --------- d-----w C:\Program Files\MAIET
2008-01-09 23:17 --------- d-----w C:\Program Files\Diablo II
2007-12-09 20:27 --------- d-----w C:\Program Files\Ventrilo
2007-12-05 09:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\pvkebtff ----

2008-02-02 10:04 857 --a------ C:\WINDOWS\pvkebtff\poloska3.png
2008-02-02 10:04 839 --a------ C:\WINDOWS\pvkebtff\8.png
2008-02-02 10:04 835 --a------ C:\WINDOWS\pvkebtff\9.png
2008-02-02 10:04 822 --a------ C:\WINDOWS\pvkebtff\6.png
2008-02-02 10:04 810 --a------ C:\WINDOWS\pvkebtff\5.png
2008-02-02 10:04 800 --a------ C:\WINDOWS\pvkebtff\frame-h1bg.gif
2008-02-02 10:04 794 --a------ C:\WINDOWS\pvkebtff\7.png
2008-02-02 10:04 721 --a------ C:\WINDOWS\pvkebtff\frame-bg.gif
2008-02-02 10:04 670 --a------ C:\WINDOWS\pvkebtff\3.png
2008-02-02 10:04 667 --a------ C:\WINDOWS\pvkebtff\2.png
2008-02-02 10:04 663 --a------ C:\WINDOWS\pvkebtff\4.png
2008-02-02 10:04 662 --a------ C:\WINDOWS\pvkebtff\1.png
2008-02-02 10:04 5269 --a------ C:\WINDOWS\pvkebtff\promowp5.html
2008-02-02 10:04 4948 --a------ C:\WINDOWS\pvkebtff\promowp2.html
2008-02-02 10:04 49152 --a------ C:\WINDOWS\pvkebtff\Thumbs.db
2008-02-02 10:04 4819 --a------ C:\WINDOWS\pvkebtff\frame-bottom-left.gif
2008-02-02 10:04 4126 --a------ C:\WINDOWS\pvkebtff\promowp3.html
2008-02-02 10:04 3917 --a------ C:\WINDOWS\pvkebtff\head.png
2008-02-02 10:04 3913 --a------ C:\WINDOWS\pvkebtff\main.css
2008-02-02 10:04 3595 --a------ C:\WINDOWS\pvkebtff\download.gif
2008-02-02 10:04 3446 --a------ C:\WINDOWS\pvkebtff\promowp4.html
2008-02-02 10:04 314 --a------ C:\WINDOWS\pvkebtff\bottom-rc.gif
2008-02-02 10:04 2830 --a------ C:\WINDOWS\pvkebtff\memory-prots.png
2008-02-02 10:04 2539 --a------ C:\WINDOWS\pvkebtff\config.png
2008-02-02 10:04 2527 --a------ C:\WINDOWS\pvkebtff\reg.png
2008-02-02 10:04 2400 --a------ C:\WINDOWS\pvkebtff\net.png
2008-02-02 10:04 2281 --a------ C:\WINDOWS\pvkebtff\pc.gif
2008-02-02 10:04 225 --a------ C:\WINDOWS\pvkebtff\repair.png
2008-02-02 10:04 2053 --a------ C:\WINDOWS\pvkebtff\content.png
2008-02-02 10:04 2038 --a------ C:\WINDOWS\pvkebtff\styles.css
2008-02-02 10:04 1997 --a------ C:\WINDOWS\pvkebtff\promowp1.html
2008-02-02 10:04 1931 --a------ C:\WINDOWS\pvkebtff\vline.gif
2008-02-02 10:04 1928 --a------ C:\WINDOWS\pvkebtff\pc-mag.gif
2008-02-02 10:04 17396 --a------ C:\WINDOWS\pvkebtff\indexwp.html
2008-02-02 10:04 1638 --a------ C:\WINDOWS\pvkebtff\icon.png
2008-02-02 10:04 1616 --a------ C:\WINDOWS\pvkebtff\wp.png
2008-02-02 10:04 1582 --a------ C:\WINDOWS\pvkebtff\poloska1.png
2008-02-02 10:04 1499 --a------ C:\WINDOWS\pvkebtff\poloska2.png
2008-02-02 10:04 1470 --a------ C:\WINDOWS\pvkebtff\start.png
2008-02-02 10:04 128 --a------ C:\WINDOWS\pvkebtff\top-rc.gif


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 10:31 1372160]
"bpg6688"="C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" [ ]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 02:23 1365504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2007-12-20 11:13 1238336]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-02 00:28:37 106496]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-05-11 12:43:44 3450608]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-01-10 16:30:34 2872144]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-10 20:27:39 692224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9cffd297]
C:\WINDOWS\system32\ijbijqbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2005-09-23 21:30 483328 C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 14:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2006-01-24 09:38 147456 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-01 08:54 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2007-05-07 09:52 159744 C:\Program Files\Razer\Tarantula\razerhid.exe

R1 crdpkt;Cirond NDIS Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\crdpkt.sys [2004-12-03 15:34]
S3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 16:27]
S3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2007-04-11 15:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13162cb-b25e-11db-8e15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 01:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 02:20:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-02 02:20:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 09:27:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-03 9:30:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 17:30:13
ComboFix2.txt 2008-02-02 19:15:26
ComboFix3.txt 2008-02-02 18:06:13
.
2008-01-11 13:01:16 --- E O F ---
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok, run SUPERAntiSpyware and post a new HijackThis log after it is done
  • 0

#13
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
SAS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2008 at 11:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1159

Scan type : Complete Scan
Total Scan Time : 01:47:23

Memory items scanned : 496
Memory threats detected : 0
Registry items scanned : 5741
Registry threats detected : 0
File items scanned : 92155
File threats detected : 19

Rogue.Unclassified/Loader
C:\QOOBOX\QUARANTINE\C\WINDOWS\KZAXCJGX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RXJDDNVJ.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP555\A0100212.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP555\A0100213.EXE

Rogue.WinPerformance
C:\QOOBOX\QUARANTINE\C\WINDOWS\PERFINFO\UK1OD0S2DHWP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP551\A0093892.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP554\A0100048.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP555\A0100210.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP551\A0093957.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP551\A0093961.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP554\A0100101.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP554\A0100102.DLL

Adware.OuterInfo-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP553\A0098044.EXE

Trojan.Downloader-ClickSpring/NDrv
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP553\A0098045.DLL

Adware.E404 Helper/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP553\A0098056.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP553\A0098071.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP553\A0099969.DLL

Trojan.Unclassified/Out-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP554\A0100099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75861ED5-76E5-49A2-9FDF-1B0F8EABBA93}\RP554\A0100100.DLL



HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:42 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [bpg6688] "C:\Program Files\ZASystems Inc\ZAShare\ZaShare.exe" bpg6688
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196234744766
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196234734297
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8079 bytes
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

You can delete the tools that we used


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
bpg6688

bpg6688

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks a bunch! :)


ps. - Watchmen <3
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP