Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"manage windows security" infection [RESOLVED]


  • This topic is locked This topic is locked

#1
aussie84

aussie84

    New Member

  • Member
  • Pip
  • 4 posts
Hi all

i have an infection on my pc (windows xp) whereby a fake red manage windows security icon is in my system tray. clicking it brings up a window similar to a windows security center window, that tries to get me to download a bunch of programs (which i have not done), including winifixer. i have done a search and found a number of other people on the forum have had the same issue, but their solutions have varied and i haven't been able to solve mine. i would be very grateful for any assistance - here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:30 AM, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\PROGRA~1\COMMON~1\TRUSTE~1\gac.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\TrustedAntivirus\pgs.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [gac] "C:\PROGRA~1\COMMON~1\TRUSTE~1\gac.exe" -start
O4 - HKLM\..\Run: [ptask] C:\Program Files\TrustedAntivirus\ptask.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [BMbf4d7c8c] Rundll32.exe "C:\WINDOWS\system32\fsrenqps.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O20 - Winlogon Notify: mljhiij - mljhiij.dll (file missing)
O21 - SSODL: ChkChk - {be83b27f-e6e1-4d73-aef7-333a91bdd56f} - C:\WINDOWS\Installer\{be83b27f-e6e1-4d73-aef7-333a91bdd56f}\ChkChk.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7536 bytes

thanks in advance
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

  • 0

#3
aussie84

aussie84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hey there

thanks heaps for the help... having run those programs, the icon is gone from my system tray and my pc just loaded a [bleep] of a lot faster than it has recently... let me know what else i need to do.

ComboFix 08-04-24.1 - David Miller-Heidke 2008-04-27 18:43:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.730 [GMT 10:00]
Running from: C:\Documents and Settings\David Miller-Heidke\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbf4d7c8c.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bdtdiwce.dll
C:\WINDOWS\system32\dsttcivp.dll
C:\WINDOWS\system32\gmpmxncd.dll
C:\WINDOWS\system32\mkujwfmd.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\ppidtghd.ini
C:\WINDOWS\system32\qkysxnrx.dll
C:\WINDOWS\system32\wkpplsby.ini
C:\WINDOWS\system32\yqdpcdfi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 13:30 . 2008-04-27 13:30 <DIR> d-------- C:\Documents and Settings\David Miller-Heidke\Application Data\Malwarebytes
2008-04-27 13:29 . 2008-04-27 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 13:29 . 2008-04-27 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 09:05 . 2008-04-27 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 21:24 . 2008-04-24 21:21 396,495 --a------ C:\Lemmings.zip
2008-04-19 20:21 . 2008-04-19 20:21 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-04-19 20:21 . 2008-04-19 20:24 23,289 --a------ C:\WINDOWS\War3Unin.dat
2008-04-19 20:21 . 2008-04-19 20:21 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-01 19:33 . 2008-04-01 19:33 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-04-01 19:33 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-01 19:31 . 2008-04-01 19:32 <DIR> d-------- C:\Program Files\Hospital Tycoon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 08:47 --------- d-----w C:\Program Files\lg_fwupdate
2008-04-27 08:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 00:56 --------- d-----w C:\Program Files\Starcraft
2008-04-24 09:03 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-20 02:13 --------- d-----w C:\Program Files\Warcraft III
2008-03-20 11:16 --------- d-----w C:\Documents and Settings\David Miller-Heidke\Application Data\PC Tools
2008-03-18 12:19 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-15 05:11 --------- d-----w C:\Program Files\Lavasoft
2008-03-15 05:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-15 05:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-11 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-03-11 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-11 06:23 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-05 09:53 --------- d-----w C:\Program Files\ecoute
2008-03-05 09:52 --------- d-----w C:\Program Files\ShortKeys
2008-02-01 09:49 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-02-01 09:49 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-11-18 23:11 22,328 ----a-w C:\Documents and Settings\David Miller-Heidke\Application Data\PnkBstrK.sys
2004-10-01 05:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"TrustedAntivirus"="C:\Program Files\TrustedAntivirus\pgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 12:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-06 10:44 249856]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 18:22 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 16:54 774168]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22 1132056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ShortKeys Lite.lnk - C:\PROGRA~1\SHORTK~1\shortkey.exe [2008-03-05 19:52:33 646656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhiij]
mljhiij.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"E:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Fazsoftware\\Dukester X\\1.5\\DukesterX.exe"=
"C:\\Program Files\\BitZip\\bitzip.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\CAVEDOG\\TOTALA\\TotalA.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 08:37:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 18:47:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-27 18:50:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 08:50:05

Pre-Run: 176,952,438,784 bytes free
Post-Run: 177,692,278,784 bytes free

161 --- E O F --- 2007-07-10 22:44:11
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Uninstall TrustedAntivirus via your Add/Remove Programs panel if found.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

DirLook::
C:\Program Files\ecoute
C:\Program Files\ShortKeys
Folder::
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\TrustedAntivirus\
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrustedAntivirus"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhiij]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
aussie84

aussie84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
trustedantivirus was still in the add/remove programs list, but had already been removed apparently (it has now been removed from the add/remove list). cheers


ComboFix 08-04-24.1 - David Miller-Heidke 2008-04-28 7:55:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.692 [GMT 10:00]
Running from: C:\Documents and Settings\David Miller-Heidke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Miller-Heidke\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MKWD_K.HxW
C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MKWD_NamedURL.HxW
C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MTOC_Hx.HxH
C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MValidator.HxD
C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MValidator.Lck
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.EXCEL.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.EXCEL.DEV.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.GRAPH.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSTORE.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OIS.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.ONENOTE.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.POWERPNT.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.POWERPNT.DEV.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.RIBBON.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.SETLANG.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033_3081_MKWD_F.HxW
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033_3081_MKWD_K.HxW
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033_3081_MTOC_WINWORD_COL.HxH
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033_3081_MValidator.HxD
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033_3081_MValidator.Lck
C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.DEV.12.1033.hxn
C:\Documents and Settings\All Users\Application Data\Microsoft Help\nslist.hxl
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\David Miller-Heidke\ResErrors.log

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 13:30 . 2008-04-27 13:30 <DIR> d-------- C:\Documents and Settings\David Miller-Heidke\Application Data\Malwarebytes
2008-04-27 13:29 . 2008-04-27 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 13:29 . 2008-04-27 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 09:05 . 2008-04-27 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 21:24 . 2008-04-24 21:21 396,495 --a------ C:\Lemmings.zip
2008-04-19 20:21 . 2008-04-19 20:21 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-04-19 20:21 . 2008-04-19 20:24 23,289 --a------ C:\WINDOWS\War3Unin.dat
2008-04-19 20:21 . 2008-04-19 20:21 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-01 19:33 . 2008-04-01 19:33 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-04-01 19:33 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-01 19:31 . 2008-04-01 19:32 <DIR> d-------- C:\Program Files\Hospital Tycoon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 21:50 --------- d-----w C:\Program Files\lg_fwupdate
2008-04-27 08:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 00:56 --------- d-----w C:\Program Files\Starcraft
2008-04-24 09:03 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-20 03:00 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-20 02:13 --------- d-----w C:\Program Files\Warcraft III
2008-03-20 11:16 --------- d-----w C:\Documents and Settings\David Miller-Heidke\Application Data\PC Tools
2008-03-18 12:19 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-17 00:42 99,904 ----a-w C:\WINDOWS\system32\hxmsnxhj.dll
2008-03-17 00:40 95,296 ----a-w C:\WINDOWS\system32\tvpdmhoa.dll
2008-03-15 05:11 --------- d-----w C:\Program Files\Lavasoft
2008-03-15 05:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-15 05:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 01:15 98,368 ----a-w C:\WINDOWS\system32\suqfaawb.dll
2008-03-15 01:09 96,832 ----a-w C:\WINDOWS\system32\rcqtrkpi.dll
2008-03-11 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-03-05 09:53 --------- d-----w C:\Program Files\ecoute
2008-03-05 09:52 --------- d-----w C:\Program Files\ShortKeys
2008-02-01 09:57 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-02-01 09:57 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-02-01 09:57 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2008-02-01 09:49 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-02-01 09:49 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-11-18 23:11 22,328 ----a-w C:\Documents and Settings\David Miller-Heidke\Application Data\PnkBstrK.sys
2004-10-01 05:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\ecoute ----

2005-04-07 08:54 0 --a------ C:\Program Files\ecoute\0.txt

---- Directory of C:\Program Files\ShortKeys ----

2008-03-05 19:52 3056 --a------ C:\Program Files\ShortKeys\INSTALL.LOG
2003-06-23 16:09 39507 --a------ C:\Program Files\ShortKeys\keylite.shk
2001-05-24 13:59 162304 --a------ C:\Program Files\ShortKeys\UNWISE.EXE
1999-10-12 22:39 646656 --a------ C:\Program Files\ShortKeys\shortkey.exe
1999-10-12 16:47 334372 --a------ C:\Program Files\ShortKeys\shortkey.hlp
1999-05-07 14:20 29184 --a------ C:\Program Files\ShortKeys\shtk95hk.dll
1999-04-16 10:12 291328 --a------ C:\Program Files\ShortKeys\thehint.exe


((((((((((((((((((((((((((((( [email protected]_18.49.57.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 08:47:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 21:49:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 12:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-06 10:44 249856]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 18:22 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 16:54 774168]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22 1132056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ShortKeys Lite.lnk - C:\PROGRA~1\SHORTK~1\shortkey.exe [2008-03-05 19:52:33 646656]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"E:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Fazsoftware\\Dukester X\\1.5\\DukesterX.exe"=
"C:\\Program Files\\BitZip\\bitzip.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\CAVEDOG\\TOTALA\\TotalA.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 10:37:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 07:56:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\David Miller-Heidke\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_BEBC_7E9D_BC7E_4FBF\$db_clean$ 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-04-28 7:57:00
ComboFix-quarantined-files.txt 2008-04-27 21:56:57
ComboFix2.txt 2008-04-27 08:50:08

Pre-Run: 177,939,427,328 bytes free
Post-Run: 177,936,896,000 bytes free

180 --- E O F --- 2007-07-10 22:44:11
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\hxmsnxhj.dll
C:\WINDOWS\system32\tvpdmhoa.dll
C:\WINDOWS\system32\suqfaawb.dll
C:\WINDOWS\system32\rcqtrkpi.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#7
aussie84

aussie84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hey

pc is running very well... i get the feeling that the windows security thing wasn't the only infection... pretty much all programs are loading noticeably faster now.


ComboFix 08-04-24.1 - David Miller-Heidke 2008-04-28 10:29:05.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.655 [GMT 10:00]
Running from: C:\Documents and Settings\David Miller-Heidke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Miller-Heidke\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\hxmsnxhj.dll
C:\WINDOWS\system32\rcqtrkpi.dll
C:\WINDOWS\system32\suqfaawb.dll
C:\WINDOWS\system32\tvpdmhoa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hxmsnxhj.dll
C:\WINDOWS\system32\rcqtrkpi.dll
C:\WINDOWS\system32\suqfaawb.dll
C:\WINDOWS\system32\tvpdmhoa.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 13:30 . 2008-04-27 13:30 <DIR> d-------- C:\Documents and Settings\David Miller-Heidke\Application Data\Malwarebytes
2008-04-27 13:29 . 2008-04-27 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 13:29 . 2008-04-27 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 09:05 . 2008-04-27 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 21:24 . 2008-04-24 21:21 396,495 --a------ C:\Lemmings.zip
2008-04-19 20:21 . 2008-04-19 20:21 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-04-19 20:21 . 2008-04-19 20:24 23,289 --a------ C:\WINDOWS\War3Unin.dat
2008-04-19 20:21 . 2008-04-19 20:21 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-01 19:33 . 2008-04-01 19:33 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-04-01 19:33 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-01 19:31 . 2008-04-01 19:32 <DIR> d-------- C:\Program Files\Hospital Tycoon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 21:50 --------- d-----w C:\Program Files\lg_fwupdate
2008-04-27 08:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 00:56 --------- d-----w C:\Program Files\Starcraft
2008-04-24 09:03 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-20 03:00 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-20 02:13 --------- d-----w C:\Program Files\Warcraft III
2008-03-20 11:16 --------- d-----w C:\Documents and Settings\David Miller-Heidke\Application Data\PC Tools
2008-03-18 12:19 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-15 05:11 --------- d-----w C:\Program Files\Lavasoft
2008-03-15 05:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-15 05:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-11 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-03-05 09:53 --------- d-----w C:\Program Files\ecoute
2008-03-05 09:52 --------- d-----w C:\Program Files\ShortKeys
2008-02-01 09:57 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-02-01 09:57 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-02-01 09:57 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2008-02-01 09:49 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-02-01 09:49 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-11-18 23:11 22,328 ----a-w C:\Documents and Settings\David Miller-Heidke\Application Data\PnkBstrK.sys
2004-10-01 05:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( [email protected]_18.49.57.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 08:47:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 21:49:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 12:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-06 10:44 249856]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 18:22 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 16:54 774168]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22 1132056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ShortKeys Lite.lnk - C:\PROGRA~1\SHORTK~1\shortkey.exe [2008-03-05 19:52:33 646656]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"E:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Fazsoftware\\Dukester X\\1.5\\DukesterX.exe"=
"C:\\Program Files\\BitZip\\bitzip.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\CAVEDOG\\TOTALA\\TotalA.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 23:37:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 10:29:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 10:29:57
ComboFix-quarantined-files.txt 2008-04-28 00:29:52
ComboFix2.txt 2008-04-27 21:57:01
ComboFix3.txt 2008-04-27 08:50:08

Pre-Run: 177,729,630,208 bytes free
Post-Run: 177,919,389,696 bytes free

146 --- E O F --- 2007-07-10 22:44:11
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Just want to confirm one more time. Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP