Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Constant Pop-Ups & Significant Decrease in Internet Speed [RESOLVE

Started by thajoker , May 12 2008 08:51 PM

  • This topic is locked This topic is locked

#1
thajoker
Posted 12 May 2008 - 08:51 PM

thajoker

    Member

  • Member
  • PipPip
  • 51 posts
Hey. Thanks for attending to this post. Lately, I may have installed something or visited a website that infecte me with malware or some sort of spyware. Either way, I posted a HiJackThis Log below hoping that someone would be able to help me. Personally, I have no hinch on what type of malwareI have but I am sre there is a significant decrease in the performance of my pc, the speed of my internet, and the constant nuisance of pop-ups every 2 seconds. I understand that all of you have your own personal lives and may not respond to this right away but i appreciate and am grateful for your help. Thanks again.

`angus.

Below is the posted HiJackThis! Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:25 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Pen Power\Win32\acremchk.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft] svhost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM8f370d7d] Rundll32.exe "C:\WINDOWS\system32\fbhuaymc.dll",s
O4 - HKLM\..\RunServices: [Microsoft] svhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PenPower Email Touchpad.lnk = ?
O8 - Extra context menu item: &?????? - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: &?????????? - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163557511906
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163557506015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab55579.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers...eminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - http://gamedownload....Plugin10USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)

--
End of file - 10362 bytes
  • 0

Advertisements

#2
greyknight17
Posted 13 May 2008 - 08:51 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [Microsoft] svhost.exe
O4 - HKLM\..\Run: [BM8f370d7d] Rundll32.exe "C:\WINDOWS\system32\fbhuaymc.dll",s
O4 - HKLM\..\RunServices: [Microsoft] svhost.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\svhost.exe - careful with the spelling....don't get it mixed up with svchost.exe
C:\WINDOWS\system32\fbhuaymc.dll

If you have problems deleting the files, just continue with the below and post back which one you have problems removing.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
thajoker
Posted 13 May 2008 - 10:26 PM

thajoker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Hey,

Thanks for attending to my issue. I really appreciate it and I knew I could trust on you geeks to go experts for help. Anyways I was able to delete as instructed:

O4 - HKLM\..\Run: [Microsoft] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft] svhost.exe

However I could not find O4 - HKLM\..\Run: [BM8f370d7d] Rundll32.exe "C:\WINDOWS\system32\fbhuaymc.dll",s but I am certain I deleted C:\WINDOWS\system32\fbhuaymc.dll which I think is the same file. Anyways that is the information i felt I needed to inform you of.

Anyways, Below is the Combofix Log:

ComboFix 08-05-12.1 - Angus Chan 2008-05-14 0:11:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.530 [GMT -4:00]
Running from: C:\Documents and Settings\Angus Chan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\axpdfrsn.dll
C:\WINDOWS\system32\byXRHXRj.dll
C:\WINDOWS\system32\cjsngfpf.ini
C:\WINDOWS\system32\dfmcofjf.dll
C:\WINDOWS\system32\ekacwhpk.dll
C:\WINDOWS\system32\epqqypjs.dll
C:\WINDOWS\system32\fpfgnsjc.dll
C:\WINDOWS\system32\jRXHRXyb.ini
C:\WINDOWS\system32\jRXHRXyb.ini2
C:\WINDOWS\system32\kwcuiemf.dll
C:\WINDOWS\system32\llkkj.tmp
C:\WINDOWS\system32\llkkj.tmp2
C:\WINDOWS\system32\lrrpwiyx.dll
C:\WINDOWS\system32\mlJApOIa.dll
C:\WINDOWS\system32\nsrfdpxa.ini
C:\WINDOWS\system32\pemtnptv.ini
C:\WINDOWS\system32\qpjnpulr.dll
C:\WINDOWS\system32\vtpntmep.dll
C:\WINDOWS\system32\yayYPhii.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 22:32 . 2008-05-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 16:38 . 2008-05-12 16:38 1,490,346 --ahs---- C:\WINDOWS\system32\ihvggwcj.tmp
2008-05-12 16:34 . 2008-05-13 23:51 109,862 --a------ C:\WINDOWS\BM8f370d7d.xml
2008-05-09 02:03 . 2008-05-12 17:09 1,305 --a------ C:\WINDOWS\psmplay.ini
2008-05-09 02:02 . 2008-05-09 02:05 <DIR> d-------- C:\Program Files\PSM5
2008-05-08 00:35 . 2008-05-08 00:35 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-08 00:07 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-08 00:07 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-08 00:06 . 2008-05-08 00:06 <DIR> d-------- C:\Program Files\ESET
2008-05-08 00:06 . 2008-05-08 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-06 17:16 . 2008-05-06 17:16 <DIR> d-------- C:\Program Files\Antares Audio Technologies
2008-05-06 17:16 . 2008-05-06 17:16 <DIR> d-------- C:\Documents and Settings\Angus Chan\Application Data\Antares
2008-05-05 23:41 . 2008-05-05 23:41 <DIR> d-------- C:\Program Files\SopCast
2008-04-27 01:43 . 2008-04-27 02:19 <DIR> d-------- C:\Program Files\PKR
2008-04-19 00:32 . 2008-04-19 00:32 2,337,865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-04-18 23:48 . 2008-05-09 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-18 23:40 . 2008-05-09 01:31 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-16 17:26 . 2008-04-16 17:29 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-04-16 17:26 . 2008-04-16 17:52 76,319 --a------ C:\WINDOWS\War3Unin.dat
2008-04-16 17:26 . 2008-04-16 17:29 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-16 17:24 . 2008-05-13 21:04 <DIR> d-------- C:\Program Files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 02:51 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-12 20:29 --------- d-----w C:\Documents and Settings\Angus Chan\Application Data\uTorrent
2008-05-11 19:34 --------- d-----w C:\Documents and Settings\Angus Chan\Application Data\LimeWire
2008-05-11 04:25 --------- d-----w C:\Program Files\LimeWire
2008-05-10 03:55 --------- d-----w C:\Program Files\Real Alternative
2008-05-09 05:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-09 05:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 04:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 03:46 --------- d-----w C:\Program Files\OGPlanet
2008-05-06 21:16 --------- d-----w C:\Program Files\VstPlugins
2008-05-01 04:41 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-19 04:33 22,328 ----a-w C:\Documents and Settings\Angus Chan\Application Data\PnkBstrK.sys
2008-04-19 02:31 --------- d-----w C:\Program Files\Java
2008-04-19 02:30 --------- d--h--w C:\Documents and Settings\Angus Chan\Application Data\ijjigame
2008-04-13 15:41 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-04-13 06:36 --------- d-----w C:\Program Files\Total Video Converter
2008-04-13 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grid
2008-04-13 04:33 --------- d-----w C:\Program Files\MSN Messenger
2008-04-08 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 19:57 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-06 21:43 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-02 22:31 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-29 03:40 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-29 03:37 --------- d-----w C:\Program Files\Windows Live
2008-03-22 23:01 --------- d-----w C:\Program Files\GenieSoft
.

------- Sigcheck -------

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-04-20 07:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2003-03-31 08:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 07:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-19 19:22 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-19 19:22 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 16:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 17:10 57344]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.DLL]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Mediafour XPlay Tray Notification Icon"="C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE" [2004-09-27 16:11 94208]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 15:43 61440]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 17:54 106496]
"RegistryMechanic"="" []
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

C:\Documents and Settings\Angus Chan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-22 01:03:11 376832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
PenPower Email Touchpad.lnk - C:\Program Files\Pen Power\Win32\acremchk.exe [2008-01-05 18:44:46 305152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2005-07-20 18:35]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 14:53]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-04 17:09]
R2 ACEDRV09;ACEDRV09;C:\WINDOWS\system32\drivers\ACEDRV09.sys [2007-12-03 17:44]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-10-31 12:10]
S3 Revolution1;Revolution1;C:\Documents and Settings\Angus Chan\Desktop\gb\gb\Revolution_Engine_8.3_ShaK3\SHAK3.sys []
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys []
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f6aad47-c895-11dc-b4f4-0018f343b323}]
\Shell\AutoRun\command - F:\PMB_P.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 11:00:30 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 00:18:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-05-14 0:23:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 04:22:46

Pre-Run: 74,680,442,880 bytes free
Post-Run: 75,555,463,168 bytes free

196 --- E O F --- 2008-04-08 20:05:33


Thanks again for your help. Looking forward for your next reply
  • 0

#4
greyknight17
Posted 14 May 2008 - 05:55 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have any problems using your USB Flash/Thumb drives?

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\ihvggwcj.tmp
C:\WINDOWS\BM8f370d7d.xml

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far? Any better?
  • 0

#5
thajoker
Posted 14 May 2008 - 08:32 PM

thajoker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Hey greyknight17,

Thanks again for your efficient responses. So far I have not encountered any problems with my USB drives as I have hardware connected to my USB drives all the time and they seem to be functioning properly. Just to be safe I experimented with the use of extra USB Memory sticks on my PC tower and they did not encounter any problems as well. However I am unsure of the difference between USB Flash/ Thumb drives and therefore it is hard for me to give you response on that. But as for PC performance, it is evident that the speed of my pc and internet has returned back to normal. Well for the very least, it doesnt take an hour and 500 pop-ups before I can make it to this post. It only takes half an hour and 400 popups now. haha jk :) Anyways thanks for helping me again and below is the CF log as requested:

ComboFix 08-05-12.1 - Angus Chan 2008-05-14 22:07:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.521 [GMT -4:00]
Running from: C:\Documents and Settings\Angus Chan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Angus Chan\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM8f370d7d.xml
C:\WINDOWS\system32\ihvggwcj.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8f370d7d.xml
C:\WINDOWS\system32\ihvggwcj.tmp

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-12 22:32 . 2008-05-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-09 02:03 . 2008-05-12 17:09 1,305 --a------ C:\WINDOWS\psmplay.ini
2008-05-09 02:02 . 2008-05-09 02:05 <DIR> d-------- C:\Program Files\PSM5
2008-05-08 00:35 . 2008-05-08 00:35 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-08 00:07 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-08 00:07 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-08 00:06 . 2008-05-08 00:06 <DIR> d-------- C:\Program Files\ESET
2008-05-08 00:06 . 2008-05-08 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-06 17:16 . 2008-05-06 17:16 <DIR> d-------- C:\Program Files\Antares Audio Technologies
2008-05-06 17:16 . 2008-05-06 17:16 <DIR> d-------- C:\Documents and Settings\Angus Chan\Application Data\Antares
2008-05-05 23:41 . 2008-05-05 23:41 <DIR> d-------- C:\Program Files\SopCast
2008-04-27 01:43 . 2008-04-27 02:19 <DIR> d-------- C:\Program Files\PKR
2008-04-19 00:32 . 2008-04-19 00:32 2,337,865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-04-18 23:48 . 2008-05-09 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-18 23:40 . 2008-05-09 01:31 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-16 17:26 . 2008-04-16 17:29 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-04-16 17:26 . 2008-04-16 17:52 76,319 --a------ C:\WINDOWS\War3Unin.dat
2008-04-16 17:26 . 2008-04-16 17:29 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-16 17:24 . 2008-05-13 21:04 <DIR> d-------- C:\Program Files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 04:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 02:51 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-14 02:51 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-12 20:29 --------- d-----w C:\Documents and Settings\Angus Chan\Application Data\uTorrent
2008-05-11 19:34 --------- d-----w C:\Documents and Settings\Angus Chan\Application Data\LimeWire
2008-05-11 04:25 --------- d-----w C:\Program Files\LimeWire
2008-05-10 03:55 --------- d-----w C:\Program Files\Real Alternative
2008-05-09 05:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-09 05:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 04:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 03:46 --------- d-----w C:\Program Files\OGPlanet
2008-05-06 21:16 --------- d-----w C:\Program Files\VstPlugins
2008-05-01 04:41 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-19 04:33 22,328 ----a-w C:\Documents and Settings\Angus Chan\Application Data\PnkBstrK.sys
2008-04-19 04:32 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-19 02:31 --------- d-----w C:\Program Files\Java
2008-04-19 02:30 --------- d--h--w C:\Documents and Settings\Angus Chan\Application Data\ijjigame
2008-04-13 15:41 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-04-13 06:36 --------- d-----w C:\Program Files\Total Video Converter
2008-04-13 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grid
2008-04-13 04:33 --------- d-----w C:\Program Files\MSN Messenger
2008-04-07 19:57 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-06 21:43 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-02 22:31 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-29 03:40 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-29 03:37 --------- d-----w C:\Program Files\Windows Live
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-22 23:01 --------- d-----w C:\Program Files\GenieSoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

------- Sigcheck -------

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-04-20 07:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2003-03-31 08:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 07:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-19 19:22 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-19 19:22 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-05-14_ 0.22.33.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-05-14 04:17:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 20:04:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-08-29 04:38:10 500,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\MORPH9.DLL
+ 2007-08-29 04:38:46 9,584,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\MSPUB.EXE
+ 2007-08-24 08:43:28 138,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PRTF9.DLL
+ 2007-08-29 04:39:14 625,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PTXT9.DLL
+ 2007-08-24 08:43:36 593,296 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\PUBCONV.DLL
+ 2007-08-29 04:16:00 350,064 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WINWORD.EXE
+ 2007-09-06 23:03:02 4,280,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-29 05:07:58 24,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2007-09-06 22:56:32 17,490,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6215\WWLIB.DLL
- 2008-04-08 20:05:30 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-05-14 04:43:45 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-08 20:05:31 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-14 04:43:46 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-08 20:05:31 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-05-14 04:43:46 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-08 20:05:31 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-14 04:43:46 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-08 20:05:31 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 04:43:46 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-08 20:05:31 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-14 04:43:46 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-08 20:05:31 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-14 04:43:46 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-08 20:05:31 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-05-14 04:43:46 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-08 20:05:31 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-14 04:43:46 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-08 20:05:31 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-05-14 04:43:46 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-08 20:05:31 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-14 04:43:46 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-08 20:05:30 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 04:43:46 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54 151,583 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2004-08-04 07:56:43 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 07:56:43 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 07:56:43 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-07-17 18:34:46 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 07:56:43 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 07:56:43 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 07:56:43 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 07:56:43 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 07:56:43 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 07:56:43 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 07:56:43 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 07:56:43 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 07:56:44 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 07:56:44 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 07:56:44 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 16:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 17:10 57344]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.DLL]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Mediafour XPlay Tray Notification Icon"="C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE" [2004-09-27 16:11 94208]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 15:43 61440]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 17:54 106496]
"RegistryMechanic"="" []
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

C:\Documents and Settings\Angus Chan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-22 01:03:11 376832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
PenPower Email Touchpad.lnk - C:\Program Files\Pen Power\Win32\acremchk.exe [2008-01-05 18:44:46 305152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2005-07-20 18:35]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 14:53]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-04 17:09]
R2 ACEDRV09;ACEDRV09;C:\WINDOWS\system32\drivers\ACEDRV09.sys [2007-12-03 17:44]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-10-31 12:10]
S3 Revolution1;Revolution1;C:\Documents and Settings\Angus Chan\Desktop\gb\gb\Revolution_Engine_8.3_ShaK3\SHAK3.sys []
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys []
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f6aad47-c895-11dc-b4f4-0018f343b323}]
\Shell\AutoRun\command - F:\PMB_P.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 11:00:30 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 22:09:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 22:10:16
ComboFix-quarantined-files.txt 2008-05-15 02:10:12
ComboFix2.txt 2008-05-14 04:23:07

Pre-Run: 75,372,478,464 bytes free
Post-Run: 75,366,068,224 bytes free

287 --- E O F --- 2008-05-14 04:43:50
  • 0

#6
greyknight17
Posted 15 May 2008 - 06:37 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
greyknight17
Posted 15 May 2008 - 06:38 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP