Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP ME PLS! [RESOLVED]


  • This topic is locked This topic is locked

#16
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I started up my computer today and Kasparsky didn't even start up.
So i pressed on the kasparsky icon to start it up that way and it won't start that way either.
It seems to be in the task Manager but under System and my Account, but i can't shut them down.
Any Ideas?

Never miind i just restarted my pc and Kasparsky was back.
But it still has the problems.

Edited by Rugbymike, 17 August 2008 - 06:10 AM.

  • 0

Advertisements


#17
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
as i said before, the chances are the malware damaged it on the way through. you may have to reinstall it.

do you intend to proceed with the steps in my prior post?
  • 0

#18
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
yes i am but i experiancing problems starting the kasparsky internet virus check. it shut down on me last time. I will try once again.
I can give you thought he logs to the other scans.
  • 0

#19
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Aug 16 00:46:44 2008

Found and removed: C:\Windows\System32\jpicpl32.cpl

Found and removed: Software\JavaSoft\Java2D\1.5.0

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510000

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510000

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510000

Found and removed: SOFTWARE\Classes\JavaPlugin.150

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150000}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

------------------------------------

Finished reporting.
  • 0

#20
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Malwarebytes' Anti-Malware 1.24
Database version: 1056
Windows 5.1.2600 Service Pack 2

1:54:21 AM 8/16/2008
mbam-log-8-16-2008 (01-54-16).txt

Scan type: Full Scan (C:\|D:\|L:\|)
Objects scanned: 144011
Time elapsed: 54 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\byXrsRJa.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccdEVPI.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvVLcyw.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\wptyahnd.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP98\A0015074.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP98\A0015075.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP98\A0015076.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP98\A0015077.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fccdEVPI.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\byxrsrja.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Mike\Desktop\Antivirus-2008.lnk (Rogue.Antivirus) -> No action taken.
  • 0

#21
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I just launched the Internet Kasparsky and my Computer crashed again.
It came up with Klif.sys
No idea what that is.
NO should i run a hijackthis log fr you without doing the Internet virus check.
  • 0

#22
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looks like you did not ask the malwarebytes program to remove the infected items, so we will re-do it. and we will do a different online scan.

====STEP 1====
double click the malwarebytes icon on your desktop to open the program
  • on the tabs at the top, select Update and then press the Check for Updates button on that page. If an update is found, it will download and install the latest version.
  • once complete (a new version of malwarebytes may download) select the tab Scanner
  • select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 2====
Please go HERE to run Panda's TotalScan
  • Select the bubble for Scan now
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report


In your next reply could i see:
1. the malwarebytes log
2. the Totalscan log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#23
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#24
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
topic re-opened at users request.
  • 0

#25
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

4:54:45 PM 8/24/2008
mbam-log-08-24-2008 (16-54-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111431
Time elapsed: 25 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#26
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-08-24 17:38:28
PROTECTIONS: 1
MALWARE: 14
SUSPECTS: 3
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Kaspersky Internet Security 8.0.0.357 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][2].txt
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe[C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe][SmitfraudFix\Process.exe]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Cookies\[email protected][2].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP98\A0015106.EXE
02197130 Trj/Rebooter.J Virus/Trojan No 1 No No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe[C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe][SmitfraudFix\Reboot.exe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP97\A0015025.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{C86578EF-747D-4019-A9AE-474E59B98666}\RP98\A0015083.sys
03445477 Adware/MalwareAlarm Adware No 1 No No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe[C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe][SmitfraudFix\IEDFix.exe]
03445477 Adware/MalwareAlarm Adware No 1 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\IEDFix.exe
03445477 Adware/MalwareAlarm Adware No 1 Yes No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix\IEDFix.exe
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\Unused Desktop Icons\SmitfraudFix.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location g
;===============================================================================
=================================================================================
===================
No C:\Program Files\Image-Line\FL Studio 8\fruityloops.studio.producer.edition.xxl.v8.0.0.exe g
No C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll g
No C:\RECYCLER\S-1-5-21-854245398-602609370-725345543-1005\Dc2.exe g
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description g
;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002 g
184379 MEDIUM MS08-001 g
182048 HIGH MS07-069 g
182046 HIGH MS07-067 g
182043 HIGH MS07-064 g
179553 HIGH MS07-061 g
176382 HIGH MS07-057 g
176383 HIGH MS07-058 g
170911 HIGH MS07-050 g
170907 HIGH MS07-046 g
170906 HIGH MS07-045 g
170904 HIGH MS07-043 g
164915 HIGH MS07-035 g
164913 HIGH MS07-033 g
164911 HIGH MS07-031 g
160623 HIGH MS07-027 g
157262 HIGH MS07-022 g
157261 HIGH MS07-021 g
157260 HIGH MS07-020 g
157259 HIGH MS07-019 g
156477 HIGH MS07-017 g
150253 HIGH MS07-016 g
150249 HIGH MS07-013 g
150248 HIGH MS07-012 g
150247 HIGH MS07-011 g
150243 HIGH MS07-008 g
150242 HIGH MS07-007 g
150241 MEDIUM MS07-006 g
141034 HIGH MS06-076 g
141033 MEDIUM MS06-075 g
141030 HIGH MS06-072 g
137571 HIGH MS06-070 g
137568 HIGH MS06-067 g
133387 MEDIUM MS06-065 g
133386 MEDIUM MS06-064 g
133385 MEDIUM MS06-063 g
133379 HIGH MS06-057 g
131654 HIGH MS06-055 g
129977 MEDIUM MS06-053 g
129976 MEDIUM MS06-052 g
126093 HIGH MS06-051 g
126092 MEDIUM MS06-050 g
126087 HIGH MS06-046 g
126086 MEDIUM MS06-045 g
126083 HIGH MS06-042 g
126082 HIGH MS06-041 g
126081 HIGH MS06-040 g
123421 HIGH MS06-036 g
123420 HIGH MS06-035 g
120825 MEDIUM MS06-032 g
120823 MEDIUM MS06-030 g
120818 HIGH MS06-025 g
120815 HIGH MS06-022 g
120814 HIGH MS06-021 g
117384 MEDIUM MS06-018 g
114666 HIGH MS06-015 g
114664 HIGH MS06-013 g
108744 MEDIUM MS06-008 g
108743 MEDIUM MS06-007 g
108742 MEDIUM MS06-006 g
;===============================================================================
=================================================================================
===================
  • 0

#27
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:24, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: RK Launcher.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: RK Launcher.lnk = ? (User 'Default user')
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8618 bytes
  • 0

#28
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the pandaTotalscan found 4 infections, there rest were tools we have used to fix the malware.

Firstly, can you tell me if your Kaspersky anti-virus program is now working?


====STEP 1====
could you empty your Recycle Bin, there is an infection in there.


====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\Image-Line\FL Studio 8\fruityloops.studio.producer.edition.xxl.v8.0.0.exe
C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll
C:\WINDOWS\PSEXESVC.EXE


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply could i see:
1. the answer to the kaspersky question
2. the combofix log
3. a new hijackthis log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#29
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Kasparsky seems to be working fine now, no more problems when i surf the internet that i would come up with it having to restart.
And the computer ssems to be runnning no problem except for boot time and dvd drives not working.

Log will follow soon
  • 0

#30
Rugbymike

Rugbymike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ComboFix 08-08-27.06 - Mike 2008-08-28 19:20:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1508 [GMT 2:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt.txt
* Created a new restore point

FILE ::
C:\Program Files\Image-Line\FL Studio 8\fruityloops.studio.producer.edition.xxl.v8.0.0.exe
C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll
C:\WINDOWS\PSEXESVC.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\6YMTH3T4\bin.clearspring.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\6YMTH3T4\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\6YMTH3T4\static.youku.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\6YMTH3T4\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Program Files\Image-Line\FL Studio 8\fruityloops.studio.producer.edition.xxl.v8.0.0.exe
C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll
C:\WINDOWS\PSEXESVC.EXE

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-28 19:06 . 2008-08-28 19:07 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-25 21:02 . 2008-08-25 21:02 <DIR> d-------- C:\Program Files\AeriaGames
2008-08-25 20:26 . 2008-08-25 20:26 <DIR> d-------- C:\Program Files\FrostWire
2008-08-25 20:26 . 2008-08-25 20:45 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\FrostWire
2008-08-24 16:56 . 2008-08-24 16:56 <DIR> d-------- C:\Program Files\Panda Security
2008-08-24 16:56 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-17 20:25 . 2008-08-17 20:25 331 --a------ C:\WINDOWS\doom3.ini
2008-08-17 20:16 . 2008-08-27 18:51 <DIR> d-------- C:\Program Files\Doom 3
2008-08-17 19:44 . 2008-08-17 19:46 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-08-17 19:44 . 2008-05-21 01:53 93,696 -ra------ C:\WINDOWS\system32\drivers\AtiHdmi.sys
2008-08-17 19:43 . 2008-06-03 04:47 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-08-17 19:43 . 2008-06-03 04:47 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-08-17 19:43 . 2008-06-03 04:47 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-08-17 19:43 . 2008-07-03 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-08-17 19:43 . 2008-07-04 05:25 421,888 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-17 19:43 . 2008-07-04 04:55 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-08-17 19:43 . 2008-06-10 23:50 174,819 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-08-17 19:43 . 2008-05-13 14:10 13,052 --a------ C:\WINDOWS\atiogl.xml
2008-08-17 19:43 . 2007-08-31 15:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-08-17 19:11 . 2008-08-17 19:11 10 --a------ C:\WINDOWS\WININIT.INI
2008-08-16 01:56 . 2008-08-16 01:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-16 00:57 . 2008-08-24 12:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 00:57 . 2008-08-16 00:57 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-08-16 00:57 . 2008-08-16 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 00:57 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 00:57 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 00:51 . 2008-08-16 00:51 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-16 00:51 . 2008-08-16 00:51 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-15 13:38 . 2008-08-15 13:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-15 13:38 . 2008-08-15 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 22:47 . 2008-08-15 18:48 2,402 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-14 21:19 . 2008-08-14 21:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 20:54 . 2008-08-14 20:54 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-14 20:54 . 2008-08-14 20:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-14 20:54 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-08-14 20:10 . 2008-08-14 20:10 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\MAGIX
2008-08-14 20:10 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-08-14 20:10 . 2001-05-16 17:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-08-14 20:10 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-08-14 20:10 . 2008-08-14 20:10 28 --a------ C:\WINDOWS\Robota.INI
2008-08-14 20:09 . 2008-08-14 20:19 <DIR> d-------- C:\Program Files\MAGIX
2008-08-14 20:09 . 2008-08-14 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MAGIX
2008-08-14 20:08 . 2008-08-14 20:19 <DIR> d-------- C:\WINDOWS\system32\MAGIX
2008-08-14 20:08 . 2008-04-15 16:14 700,416 --a------ C:\WINDOWS\system32\mgxoschk.dll
2008-08-14 20:08 . 2008-08-14 20:10 5,937 --a------ C:\WINDOWS\mgxoschk.ini
2008-08-14 18:13 . 2005-05-18 11:52 1,212,416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-08-14 18:13 . 2005-04-04 17:21 602,112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-08-14 18:13 . 2005-03-28 15:54 479,232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2008-08-14 18:13 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll
2008-08-14 18:13 . 2005-04-25 13:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2008-08-14 18:13 . 2005-03-28 15:52 417,792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll
2008-08-14 18:13 . 2005-02-24 11:51 348,160 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2008-08-14 18:13 . 2006-03-23 12:56 113,486 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-08-14 18:12 . 2008-08-14 18:14 <DIR> d-------- C:\Program Files\Free Sound Recorder
2008-08-14 18:12 . 2005-05-17 12:37 1,986,560 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2008-08-14 18:12 . 2005-04-15 12:08 880,640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll
2008-08-14 18:12 . 2004-11-04 13:31 835,584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2008-08-14 18:12 . 2002-01-05 16:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Program Files\NCH Software
2008-08-14 17:50 . 2008-08-14 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-14 17:48 . 2008-08-14 18:13 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\NCH Swift Sound
2008-08-14 17:48 . 2008-08-14 17:48 27,136 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2008-08-12 22:39 . 2008-08-12 22:46 <DIR> d-------- C:\Program Files\PhotoScape
2008-08-12 21:28 . 2008-08-12 21:28 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-08-12 21:28 . 2008-08-12 21:28 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-08-12 21:28 . 2008-08-12 21:28 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Jasc Software Inc
2008-08-12 21:28 . 2008-08-12 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-08-11 23:52 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-11 23:52 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-11 23:52 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-11 23:52 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-11 22:36 . 2008-08-11 22:36 <DIR> d-------- C:\Program Files\Red Kawa
2008-08-11 22:36 . 2008-08-11 22:36 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-08-10 23:16 . 2008-08-10 23:16 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-10 16:57 . 2008-08-16 21:05 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-08-10 14:00 . 2002-04-22 13:30 4,284,416 -ra------ C:\WINDOWS\uncsetup.exe
2008-08-10 14:00 . 2008-08-10 14:00 53,248 --a------ C:\WINDOWS\system32\unrar.dll
2008-08-10 02:46 . 2008-08-10 02:46 <DIR> d-------- C:\Program Files\Logitech
2008-08-10 02:46 . 2008-08-10 02:50 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-08-10 02:46 . 2008-08-10 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-08-10 02:46 . 2008-08-10 02:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-08-09 19:42 . 2008-08-15 17:51 941 --a------ C:\WINDOWS\system32\%LocalXml%
2008-08-09 01:10 . 2008-08-09 03:12 <DIR> d-------- C:\Program Files\9Dragons
2008-08-09 00:35 . 2008-08-09 00:35 74,081 --a------ C:\FRUITYLOOPS.STUDIO.PRODUCER.EDITION.XXL.V8.0.0.EXE
2008-08-09 00:33 . 2008-08-09 00:33 <DIR> d-------- C:\Program Files\VstPlugins
2008-08-09 00:33 . 2008-08-09 00:33 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-08-09 00:33 . 2002-07-08 00:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-08-09 00:33 . 2006-06-20 10:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-08-09 00:32 . 2008-08-09 00:32 <DIR> d-------- C:\Program Files\Outsim
2008-08-09 00:31 . 2008-08-14 18:06 <DIR> d-------- C:\Program Files\Image-Line
2008-08-08 23:54 . 2008-08-08 23:54 4,096 --a------ C:\WINDOWS\system32\crash
2008-08-08 23:47 . 2008-08-08 23:55 <DIR> d-------- C:\Program Files\ATITool
2008-08-07 22:51 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-08-07 22:51 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-08-07 22:50 . 2008-08-07 22:50 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-08-07 22:50 . 2008-08-07 22:50 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-08-07 22:49 . 2008-08-07 22:51 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\PC Suite
2008-08-07 22:49 . 2008-08-07 22:51 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Nokia
2008-08-07 22:49 . 2008-08-07 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-07 22:48 . 2008-08-07 22:48 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-08-07 22:48 . 2008-08-07 22:48 <DIR> d-------- C:\Program Files\Nokia
2008-08-07 22:48 . 2008-08-07 22:48 <DIR> d-------- C:\Program Files\DIFX
2008-08-07 22:48 . 2008-08-07 22:48 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-08-07 22:48 . 2008-08-07 22:48 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-08-07 22:48 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-08-07 22:48 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-07 22:48 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-08-07 22:48 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-08-07 22:48 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-08-07 22:48 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-08-07 22:48 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-08-07 22:48 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-08-07 22:47 . 2008-08-07 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-08-07 21:35 . 2008-08-07 21:35 <DIR> d-------- C:\Program Files\Belarc
2008-08-07 21:35 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-08-07 21:15 . 2008-08-07 21:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-07 21:15 . 2008-08-10 20:26 162,008 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-07 21:15 . 2008-08-10 20:26 111,928 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-08-07 21:15 . 2008-08-07 21:15 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-08-07 21:08 . 2008-08-07 21:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-07 21:00 . 2008-08-07 21:14 <DIR> d-------- C:\Program Files\WarRock
2008-08-07 21:00 . 2008-08-07 21:00 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\InstallShield
2008-08-07 19:08 . 2008-08-24 12:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\OpenOffice.org2
2008-08-07 19:06 . 2008-08-24 12:45 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-07 00:02 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 19:55 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-08-15 22:51 --------- d-----w C:\Program Files\Java
2008-08-04 21:45 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-04 21:44 --------- d-----w C:\Program Files\Common Files\Java
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 06:33 3,230,720 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-07-04 03:48 9,490,432 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-07-04 03:23 309,248 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-07-04 03:14 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-07-04 03:14 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-07-04 03:14 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-07-04 03:13 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-07-04 03:13 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-07-04 03:12 561,152 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-07-04 03:10 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-07-04 03:06 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-07-04 03:00 3,786,144 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-07-04 02:49 2,140,672 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-07-04 02:34 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-07-04 02:30 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-07-04 02:29 32,768 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-07-04 02:28 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-04 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-07-04 02:22 565,248 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((( [email protected]_21.00.21.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-17 17:45:48 25,214 ----a-r C:\WINDOWS\Installer\{36CDA33B-909B-4719-97D1-C4B99309BDC7}\ARPPRODUCTICON.exe
+ 2008-08-17 17:46:04 9,158 ----a-r C:\WINDOWS\Installer\{5DA6F06A-B389-407B-BF8C-1548767914D8}\ARPPRODUCTICON.exe
+ 2008-08-15 23:56:37 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2007-07-30 17:19:20 92,504 ----a-w C:\WINDOWS\LastGood\system32\cdm.dll
+ 2007-07-30 17:19:36 549,720 ----a-w C:\WINDOWS\LastGood\system32\wuapi.dll
+ 2007-07-30 17:19:16 53,080 ----a-w C:\WINDOWS\LastGood\system32\wuauclt.exe
+ 2007-07-30 17:19:42 1,712,984 ----a-w C:\WINDOWS\LastGood\system32\wuaueng.dll
+ 2007-07-30 17:19:32 325,976 ----a-w C:\WINDOWS\LastGood\system32\wucltui.dll
+ 2007-07-30 17:18:40 33,624 ----a-w C:\WINDOWS\LastGood\system32\wups.dll
+ 2007-07-30 17:19:12 43,352 ----a-w C:\WINDOWS\LastGood\system32\wups2.dll
+ 2007-07-30 17:19:28 203,096 ----a-w C:\WINDOWS\LastGood\system32\wuweb.dll
+ 2005-10-11 08:56:14 73,728 ----a-r C:\WINDOWS\system32\atiexdxx.dll
+ 2007-08-21 19:36:12 40,960 ----a-w C:\WINDOWS\system32\ATIODCLI.exe
+ 2007-08-21 21:51:16 81,920 ----a-w C:\WINDOWS\system32\ATIODE.exe
- 2008-08-15 16:56:18 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-28 17:05:09 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-15 16:56:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-28 17:05:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-28 17:05:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-09-15 01:59:22 233,472 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2008-06-03 02:21:24 557,056 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2005-09-15 02:58:48 241,664 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2008-06-03 03:21:06 306,688 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2005-09-15 02:44:50 2,429,952 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2008-06-03 02:59:00 3,500,352 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2005-09-15 02:39:24 602,016 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2008-06-03 02:48:10 2,120,832 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
- 2007-07-30 17:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 20:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2007-07-30 17:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2008-07-18 20:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-30 17:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-18 20:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-07-30 17:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 20:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2007-07-30 17:19:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-18 20:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2007-07-30 17:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 20:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2008-08-15 18:55:18 2,275,872 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
+ 2008-08-27 22:09:38 2,666,528 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
- 2008-08-15 18:55:18 426,016 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
+ 2008-08-28 17:07:24 475,168 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
- 2008-08-04 21:44:53 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-08-15 22:51:44 139,264 ----a-w C:\WINDOWS\system32\java.exe
- 2008-08-04 21:44:53 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-08-15 22:51:44 139,264 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-08-04 21:44:53 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-08-15 22:51:44 143,360 ----a-w C:\WINDOWS\system32\javaws.exe
- 2003-04-18 14:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 13:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2008-08-04 22:27:50 62,548 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 17:44:35 62,548 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-04 22:27:50 401,394 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 17:44:35 401,394 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-03 02:33:56 48,128 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\amdpcom32.dll
+ 2008-06-03 02:28:20 23,040 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\atiadlxx.dll
+ 2008-06-03 03:22:24 413,696 ----a-r C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ATIDEMGX.dll
+ 2007-08-21 19:36:12 40,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ATIODCLI.exe
+ 2007-08-21 21:51:16 81,920 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ATIODE.exe
+ 2008-06-03 03:46:34 10,276,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\atioglx2.dll
+ 2008-06-03 03:04:24 245,760 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\atiok3x2.dll
+ 2008-06-03 02:47:46 3,107,788 ----a-r C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ativva5x.dat
+ 2008-06-03 02:47:46 887,724 ----a-r C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ativva6x.dat
+ 2008-06-03 02:47:46 3,107,788 ----a-r C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ativvaxx.dat
+ 2008-07-18 20:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-18 20:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
+ 2008-08-28 17:05:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_42c.dat
+ 2007-05-08 13:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2007-04-18 08:36:40 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 16:00 1249280]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 14:31 1122816]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 10:49 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-08-16 00:51 144792]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-18 17:08 270336]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 19:06 577536 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
RK Launcher.lnk - C:\Documents and Settings\Mike\Desktop\RK_Launcher_041_Beta_Nightly\RKLauncher.exe [2008-08-05 22:07:16 708608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-08-16 00:51]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2008-05-21 01:53]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2005-06-20 09:12]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-05 21:41]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 13:31]

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 19:24:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-28 19:26:52
ComboFix-quarantined-files.txt 2008-08-28 17:26:45
ComboFix2.txt 2008-08-15 19:00:50

Pre-Run: 124,809,736,192 bytes free
Post-Run: 124,907,155,456 bytes free

348 --- E O F --- 2008-08-15 23:56:38
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP