Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

rootkit (unsure of name) [resolved] [RESOLVED]

Started by heyitssupergirl , Feb 13 2008 07:59 PM

This topic is locked

#1
heyitssupergirl

Posted 13 February 2008 - 07:59 PM

Member

Member
69 posts

i have been having problems with "buffer overrun"(a screen shot should be somewhere around here)

happening mostly when i have several ie windows open which in turn shuts down explorer because of some type of a corruption
apart from that i also have pop ups that display when i have chosen to open ie or windows that pop up that never finishes loading
there are also other things like windows pop ups stating that my computer is infected with malware and the such the causes being adult websites ect.

i have read "You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide" and hope that i have followed it well enough (please excuse my ignorance)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/13/2008 at 06:59 PM

Application Version : 3.9.1008

Core Rules Database Version : 3401
Trace Rules Database Version: 1393

Scan type : Complete Scan
Total Scan Time : 00:35:51

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 7065
Registry threats detected : 0
File items scanned : 37288
File threats detected : 0

panda activescan

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected
C:\WINDOWS\system32\Process.exe

highjack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:22 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntmlwb.exe DWoli5
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntmlwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\klwdw64m.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.0.6.4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe (file missing)

--
End of file - 7400 bytes

help is much appreciated! thanks in advance!

Attached Thumbnails

Edited by heyitssupergirl, 19 February 2008 - 09:10 PM.

#2
Rorschach112

Posted 13 February 2008 - 08:01 PM

Ralphie

Retired Staff
47,710 posts

Hello

You will need two posts for these logs

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please download and unzip Icesword to its own folder on your desktop

If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

#3
heyitssupergirl

Posted 13 February 2008 - 08:15 PM

Member

Topic Starter
Member
69 posts

main.txt

Deckard's System Scanner v20071014.68
Run by dre&bev on 2008-02-13 21:08:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 3 Restore Point(s) --
3: 2008-02-14 02:08:43 UTC - RP7 - Deckard's System Scanner Restore Point
2: 2008-02-14 01:27:48 UTC - RP6 - Installed Java™ 6 Update 3
1: 2008-02-13 23:10:57 UTC - RP5 - the one i made

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as dre&bev.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:33 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\dre&bev\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\dre&bev.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntmlwb.exe DWoli5
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntmlwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\klwdw64m.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.0.6.4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe (file missing)

--
End of file - 7257 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 AEXPAM (Philips SmartManage Service) - c:\windows\system32\drivers\aexpamdrv.sys <Not Verified; Philips Consumer Electronics Co.; Philips SmartManage>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 bdpredir - c:\program files\softwin\bitdefender10\bdpredir.sys (file missing)
S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing)
S3 Profos - c:\program files\softwin\bitdefender10\profos.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 Trufos - c:\program files\softwin\bitdefender10\trufos.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor5.0 (Adobe Active File Monitor V5) - c:\program files\adobe\photoshop elements 5.0\photoshopelementsfileagent.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~2\tmpfw.exe (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-02-13 17:17:00 270 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-02-13 03:00:00 508 --a------ C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
2008-02-11 16:00:20 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-11-15 17:17:18 392 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

-- Files created between 2008-01-13 and 2008-02-13 -----------------------------

2008-02-13 19:16:00 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-13 17:19:14 0 d-------- C:\Program Files\Trend Micro
2008-02-13 14:55:36 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-13 14:55:36 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-13 14:55:36 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-13 14:55:36 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-12 20:54:26 0 d-------- C:\VundoFix Backups
2008-02-12 20:24:31 1340 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 20:23:52 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-12 20:23:52 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-12 20:23:52 85504 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-12 20:23:52 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-12 20:23:52 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-12 20:23:52 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-12 20:23:52 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-12 20:11:13 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-12 20:10:56 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-12 20:10:56 0 d-------- C:\Documents and Settings\dre&bev\Application Data\SUPERAntiSpyware.com
2008-02-08 06:11:32 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Real
2008-02-07 17:14:40 0 d-------- C:\Documents and Settings\dre&bev\Contacts
2008-02-07 15:36:40 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Logitech
2008-02-07 15:31:13 69632 --a------ C:\WINDOWS\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-07 15:31:13 110592 --a------ C:\WINDOWS\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-07 15:31:13 135168 --a------ C:\WINDOWS\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-07 15:31:13 163840 --a------ C:\WINDOWS\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-02-07 15:30:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-02-07 15:30:39 0 d-------- C:\Program Files\Logitech
2008-02-07 15:30:34 0 d-------- C:\Program Files\Common Files\Logitech
2008-02-07 14:00:36 0 d-------- C:\Documents and Settings\dre&bev\Application Data\vlc
2008-02-07 06:56:15 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Sun
2008-02-07 05:18:47 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-06 19:08:44 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Apple Computer
2008-02-06 19:04:42 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Macromedia
2008-02-06 18:51:39 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Adobe
2008-02-06 18:27:43 0 d-------- C:\Documents and Settings\dre&bev\Application Data\DivX
2008-02-06 18:09:40 0 d-------- C:\Documents and Settings\dre&bev\Application Data\Identities
2008-02-06 18:08:49 0 d--h----- C:\Documents and Settings\dre&bev\Templates
2008-02-06 18:08:49 0 dr------- C:\Documents and Settings\dre&bev\Start Menu
2008-02-06 18:08:49 0 dr-h----- C:\Documents and Settings\dre&bev\SendTo
2008-02-06 18:08:49 0 dr-h----- C:\Documents and Settings\dre&bev\Recent
2008-02-06 18:08:49 0 d--h----- C:\Documents and Settings\dre&bev\PrintHood
2008-02-06 18:08:49 0 d--h----- C:\Documents and Settings\dre&bev\NetHood
2008-02-06 18:08:49 0 dr------- C:\Documents and Settings\dre&bev\My Documents
2008-02-06 18:08:49 0 d--h----- C:\Documents and Settings\dre&bev\Local Settings
2008-02-06 18:08:49 0 dr------- C:\Documents and Settings\dre&bev\Favorites
2008-02-06 18:08:49 0 d-------- C:\Documents and Settings\dre&bev\Desktop
2008-02-06 18:08:49 0 d--hs---- C:\Documents and Settings\dre&bev\Cookies
2008-02-06 18:08:49 0 dr-h----- C:\Documents and Settings\dre&bev\Application Data
2008-02-06 18:08:47 2097152 --ah----- C:\Documents and Settings\dre&bev\NTUSER.DAT
2008-02-06 16:16:14 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-06 16:16:14 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-06 16:10:56 0 d-------- C:\Program Files\Kaspersky Lab
2008-02-06 16:10:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 16:09:50 83232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-06 16:09:50 16970272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-06 16:07:34 0 d-------- C:\KAV
2008-02-06 12:01:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 02:30:45 0 d-------- C:\Program Files\Enigma Software Group
2008-02-05 23:56:44 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-05 19:12:54 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-04 20:31:03 0 d-------- C:\Program Files\DVD Decrypter
2008-01-31 19:16:33 0 d-------- C:\Program Files\Browser Mouse

-- Find3M Report ---------------------------------------------------------------

2008-02-13 20:30:48 0 d-------- C:\Program Files\Java
2008-02-13 20:06:05 0 d-------- C:\Program Files\iTunes
2008-02-12 20:10:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 08:47:45 0 d-------- C:\Program Files\Soulseek
2008-02-07 17:08:08 0 d-------- C:\Program Files\MSN Messenger
2008-02-07 15:34:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 15:30:34 0 d-------- C:\Program Files\Common Files
2008-02-07 14:39:11 0 d-------- C:\Program Files\Bazooka Scanner
2008-02-04 20:55:05 0 d-------- C:\Program Files\Common Files\Ahead
2008-01-21 17:12:24 0 d-------- C:\Program Files\iPod
2008-01-21 17:11:28 0 d-------- C:\Program Files\QuickTime
2008-01-20 05:26:34 0 d-------- C:\Program Files\Azureus
2008-01-14 19:07:41 0 d-------- C:\Program Files\DivX
2008-01-04 16:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 16:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 16:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 16:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-25 18:03:02 0 d-------- C:\Program Files\Common Files\NSV

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [06/10/2004 11:51 AM C:\WINDOWS\system32\P17.dll]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [09/20/2005 08:35 AM]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [09/20/2005 08:32 AM]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [09/20/2005 08:36 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/2007 12:51 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [01/23/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/12/2007 11:42 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"WMedia32"="wmedia32.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 10:12 PM]
"ExploreUpdSched"="C:\WINDOWS\system32\lcntmlwb.exe" []
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [09/14/2006 06:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/27/2007 07:03 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

-- End of Deckard's System Scanner: finished at 2008-02-13 21:12:41 ------------

extra.txt

-- Application Event Log -------------------------------------------------------

Event Record #/Type8375 / Success
Event Submitted/Written: 02/13/2008 08:45:17 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type8367 / Success
Event Submitted/Written: 02/13/2008 06:20:03 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type8360 / Success
Event Submitted/Written: 02/13/2008 06:00:53 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type8342 / Warning
Event Submitted/Written: 02/13/2008 05:58:18 PM
Event ID/Source: 1020 / ASP.NET 2.0.50727.0
Event Description:
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Event Record #/Type8275 / Success
Event Submitted/Written: 02/13/2008 05:43:24 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type16573 / Error
Event Submitted/Written: 02/13/2008 08:45:27 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
bdpredir

Event Record #/Type16572 / Error
Event Submitted/Written: 02/13/2008 08:45:22 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
The Trend Micro Personal Firewall service depends on the following nonexistent service: tmcfw

Event Record #/Type16541 / Error
Event Submitted/Written: 02/13/2008 06:20:23 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
bdpredir

Event Record #/Type16540 / Error
Event Submitted/Written: 02/13/2008 06:20:21 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
The Trend Micro Personal Firewall service depends on the following nonexistent service: tmcfw

Event Record #/Type16512 / Error
Event Submitted/Written: 02/13/2008 06:01:03 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
bdpredir

-- End of Deckard's System Scanner: finished at 2008-02-13 21:12:41 ------------

#4
Rorschach112

Posted 14 February 2008 - 07:32 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntmlwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\klwdw64m.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\wmedia32.exe
C:\WINDOWS\system32\lcntmlwb.exe
C:\WINDOWS\system32\klwdw64m.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
purity
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Can you also post the IceSword logs

#5
heyitssupergirl

Posted 14 February 2008 - 04:20 PM

Member

Topic Starter
Member
69 posts

System Idle Process
System
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\smss.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\alg.exe
C:\Documents and Settings\dre&bev\Desktop\IceSword122en\IceSword.exe
C:\WINDOWS\system32\notepad.exe

#6
Rorschach112

Posted 15 February 2008 - 08:28 AM

Ralphie

Retired Staff
47,710 posts

Can you post all the IceSword logs...

#7
heyitssupergirl

Posted 19 February 2008 - 03:28 PM

Member

Topic Starter
Member
69 posts

are you still watching this thread? sorry for the wait had started my work week and i work long days so i am sorry.

#8
Rorschach112

Posted 19 February 2008 - 03:38 PM

Ralphie

Retired Staff
47,710 posts

Yes go ahead and run IceSword and post all the logs from it

#9
heyitssupergirl

Posted 19 February 2008 - 03:45 PM

Member

Topic Starter
Member
69 posts

Process:

System Idle Process
System
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\smss.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\dre&bev\Desktop\IceSword122en\IceSword.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe

-----------------------------------------------

Started Service:

Service Name:6to4 Display Name:IPv6 Helper Service
Service Name:AdobeActiveFileMonitor5.0 Display Name:Adobe Active File Monitor V5
Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:Apple Mobile Device Display Name:Apple Mobile Device
Service Name:AudioSrv Display Name:Windows Audio
Service Name:AVP Display Name:Kaspersky Anti-Virus 7.0
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:iPod Service Display Name:iPod Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NMIndexingService Display Name:NMIndexingService
Service Name:PlugPlay Display Name:Plug and Play
Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:usnjsvc Display Name:Messenger Sharing Folders USN Journal Reader service
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVP
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logitech Hardware Abstraction Layer
KHALMNPR.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GrooveMonitor
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WMedia32
wmedia32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP Software Update
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ExploreUpdSched
C:\WINDOWS\system32\lcntmlwb.exe DWoli5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
egui
"C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader
"C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SUPERAntiSpyware
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk
C:\Program Files\Logitech\SetPoint\SetPoint.exe (Remark£º)

C:\Documents and Settings\dre&bev\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\dre&bev\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Remark£ºScreen Clipper (Windows+S) and Launcher (Windows+N) for Microsoft Office OneNote.)

#10
heyitssupergirl

Posted 19 February 2008 - 03:48 PM

Member

Topic Starter
Member
69 posts

in ssdt would you like only what is marked under kmodule or would you also like the "name" cause that may take awhile

#11
Rorschach112

Posted 19 February 2008 - 03:51 PM

Ralphie

Retired Staff
47,710 posts

Just the KModule name of the red entries

#12
heyitssupergirl

Posted 19 February 2008 - 03:54 PM

Member

Topic Starter
Member
69 posts

\??\C:\WINDOWS\system32\drivers\klif.sys
and under message hooks there are no red entries for wh_keyboard

#13
heyitssupergirl

Posted 19 February 2008 - 04:06 PM

Member

Topic Starter
Member
69 posts

OTMoveIt2 by OldTimer.

[Custom Input]
< C:\WINDOWS\system32\wmedia32.exe >
File/Folder C:\WINDOWS\system32\wmedia32.exe not found.
< C:\WINDOWS\system32\lcntmlwb.exe >
File/Folder C:\WINDOWS\system32\lcntmlwb.exe not found.
< C:\WINDOWS\system32\klwdw64m.exe >
File/Folder C:\WINDOWS\system32\klwdw64m.exe not found.

OTMoveIt2 v1.0.20 log created on 02192008_170712

#14
Rorschach112

Posted 19 February 2008 - 04:10 PM

Ralphie

Retired Staff
47,710 posts

Ok looking good

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Reboot and post a new DSS log

#15
heyitssupergirl

Posted 19 February 2008 - 04:23 PM

Member

Topic Starter
Member
69 posts

Malwarebytes' Anti-Malware 1.04
Database version: 380

Scan type: Quick Scan
Objects scanned: 32049
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)