Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Very slow boot [RESOLVED]

Started by Bendrix , Aug 19 2008 06:37 AM

  • This topic is locked This topic is locked

#1
Bendrix
Posted 19 August 2008 - 06:37 AM

Bendrix

    Member

  • Member
  • PipPip
  • 49 posts
Hi, I was recently having a problem with a virus that changed my wallpaper to a warning that said I needed to download a antivirus. And the desktop/screen saver tabs were both missing in my properties menu. I then ran MalwareBytes and it picked up a bunch of stuff. I deleted the problems, and everything seems to be good now, no more changed background. However, I am still left with a very slow boot. So I have ran a Hijack this log for you, and I also have the log from the Malware Bytes scan that I did.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:41 AM, on 19/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.c...h...P&M=GM5258H
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...P&M=GM5258H
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11722 bytes

Edited by Bendrix, 19 August 2008 - 06:39 AM.

  • 0

Advertisements

#2
Bendrix
Posted 19 August 2008 - 06:38 AM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here is my MalewareBytes log.


Malwarebytes' Anti-Malware 1.25
Database version: 1070
Windows 5.1.2600 Service Pack 3

7:12:41 AM 19/08/2008
mbam-log-08-19-2008 (07-12-41).txt

Scan type: Quick Scan
Objects scanned: 51412
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phct5dj0ea2c.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#3
BHowett
Posted 23 August 2008 - 04:04 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello Bendrix, and welcome back to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

Sorry for the delay but we are really busy these days :) I am looking through your logs now and will get back to you as soon as I can.
  • 0

#4
BHowett
Posted 23 August 2008 - 04:25 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello Bendrix,

I’m not really seeing anything in you HJT log, so lets take a deeper look at some things :)

Download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • Place a tick in the Scan all Users box
  • In the File Age drop down box select 60 days
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

  • 0

#5
Bendrix
Posted 23 August 2008 - 07:43 PM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I get a error that says "list index out of bounds (19)"
  • 0

#6
BHowett
Posted 23 August 2008 - 09:54 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
hello again,

lets try it again, it just ran fine for me :) just delete the copy you have and start over with my new instructions.


Download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • In the File Age drop down box select 60 days
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

  • 0

#7
Bendrix
Posted 23 August 2008 - 10:16 PM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
it still says out of bounds :) Maybe 60 days is too far?

edit: never mind 30 days doesn't work either.

Edited by Bendrix, 23 August 2008 - 10:17 PM.

  • 0

#8
BHowett
Posted 24 August 2008 - 07:05 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Bendrix,

I was talking to the owner of OTViewIt and we are looking into that error, so let’s move on and do the following.


ComboFix

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#9
Bendrix
Posted 25 August 2008 - 03:36 AM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I followed the instructions to install the recovery program by dragging the installer into combo fix, And it seemed to work. But after Combo fix finished doing its thing, in the log it said WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

so i guess I will uninstall it all and retry. I cant do it right now how ever so I will have to do it tomorrow sorry.

Edited by Bendrix, 25 August 2008 - 03:43 AM.

  • 0

#10
BHowett
Posted 25 August 2008 - 07:12 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello again,

thats ok for right now, can you post that log?
  • 0

Advertisements

#11
Bendrix
Posted 28 August 2008 - 12:03 AM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I believe this is it:

ComboFix 08-08-24.02 - Owner 2008-08-25 4:01:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1486 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Bendrix\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\IUSR_NMPR\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\#SharedObjects\LPSY5EPE\interclick.com
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\#SharedObjects\LPSY5EPE\interclick.com\ud.sol
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\a.exe
C:\WINDOWS\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 16:56 . 2008-08-24 16:56 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\InstallShield Installation Information
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\Unreal Tournament 3
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-24 01:11 . 2008-08-24 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-23 03:50 . 2008-08-23 03:50 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-23 01:14 . 2008-08-23 01:15 <DIR> d-------- C:\Program Files\RivaTuner v2.09
2008-08-23 01:14 . 2008-08-23 01:14 <DIR> d-------- C:\Program Files\RivaTuner
2008-08-22 18:28 . 2008-08-22 18:30 <DIR> d-------- C:\WINDOWS\NV36685592.TMP
2008-08-22 18:28 . 2008-05-19 18:16 186,407 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-22 17:44 . 2008-08-22 18:30 <DIR> d-------- C:\WINDOWS\nview
2008-08-22 17:44 . 2008-05-16 11:48 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-08-22 17:44 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-22 17:44 . 2008-08-25 03:52 181,718 --a------ C:\WINDOWS\system32\nvapps.xml
2008-08-22 17:44 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-22 17:41 . 2008-08-22 17:41 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-22 17:41 . 2008-08-22 17:41 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-21 23:51 . 2008-08-23 20:50 <DIR> d---s---- C:\Program Files\HLSW
2008-08-21 23:51 . 2008-08-23 20:50 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\HLSW
2008-08-20 19:29 . 2008-08-20 19:29 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\SmartFTP
2008-08-20 19:28 . 2008-08-20 19:28 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-08-20 19:28 . 2008-08-20 19:28 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-08-19 07:07 . 2008-08-19 07:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 07:07 . 2008-08-19 07:07 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\Malwarebytes
2008-08-19 07:07 . 2008-08-19 07:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-19 07:07 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-19 07:07 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 05:58 . 2008-08-19 05:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 05:58 . 2008-08-19 05:58 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\SUPERAntiSpyware.com
2008-08-19 05:58 . 2008-08-19 05:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 05:52 . 2008-08-19 07:07 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-19 05:52 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-08-17 19:58 . 2008-08-17 19:58 <DIR> d-------- C:\EbuDllTmpDir
2008-08-17 19:40 . 2008-08-17 19:46 <DIR> d-------- C:\cabs
2008-08-13 03:50 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 03:49 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 19:24 . 2008-08-12 19:24 <DIR> d-------- C:\Program Files\7-Zip
2008-08-09 20:07 . 2008-08-09 20:07 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-06 02:36 . 2008-08-13 19:52 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-08-05 19:26 . 2008-08-05 19:26 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 08:20 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\Xfire
2008-08-25 05:33 --------- d-----w C:\Program Files\Steam
2008-08-25 01:02 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\uTorrent
2008-08-24 21:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-23 22:08 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\LimeWire
2008-08-23 03:33 --------- d-----w C:\Program Files\World of Warcraft
2008-08-22 23:24 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-08-22 23:24 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\SystemRequirementsLab
2008-08-21 04:56 --------- d-----w C:\Program Files\Xfire
2008-08-19 10:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-19 01:59 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-18 00:59 29,708 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-18 00:59 14,017,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-18 00:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-14 08:02 --------- d-----w C:\Program Files\Microsoft Works
2008-08-14 01:09 --------- d-----w C:\Program Files\GetRight
2008-08-14 00:51 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-08-13 21:04 --------- d-----w C:\Program Files\LimeWire
2008-08-07 08:21 --------- d-----w C:\Program Files\PokerStars.NET
2008-08-04 09:52 --------- d-----w C:\Program Files\DivX
2008-08-02 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-07-22 06:33 --------- d-----w C:\Program Files\Bits N Bytes
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-03 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-01 04:38 --------- d-----w C:\Program Files\Red Kawa
2008-06-29 07:29 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\DivX
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 15:49 68856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 09:15 151552]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 11:54 303104]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 21:10 375296]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 15:34 9134080]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 02:05 217088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 13:25 2707456]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 19:12 169984]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 19:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-03-25 05:59:00 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-03-25 05:56 303616]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.Bendrix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner.Bendrix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.Bendrix^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Owner.Bendrix\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-15 19:30 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 18:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-08-21 16:33 1271032 c:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-07-09 09:05 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Steam\\steamapps\\mikel6666\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\mikel6666\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);C:\WINDOWS\system32\DRIVERS\xcbda.sys [2006-06-27 13:57]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
S3 PciCon;PciCon;E:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{512cf020-dd98-11dc-bf10-001676cb73b1}]
\Shell\AutoRun\command - J:\Launcher.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe
MSConfigStartUp-egui - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner.Bendrix\Application Data\Mozilla\Firefox\Profiles\myoxgwvf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 04:10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
.
**************************************************************************
.
Completion time: 2008-08-25 4:31:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 09:31:43

Pre-Run: 150,386,921,472 bytes free
Post-Run: 150,333,554,688 bytes free

263 --- E O F --- 2008-08-19 01:59:03
  • 0

#12
BHowett
Posted 28 August 2008 - 06:48 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Bendrix,

Please do the following...


Combofix Script.txt
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\NV36685592.TMP
C:\WINDOWS\system32\nvapps.nvb
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\d3d8caps.dat
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{512cf020-dd98-11dc-bf10-001676cb73b1}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Also let me know how your systerm is running now :)
  • 0

#13
Bendrix
Posted 28 August 2008 - 10:20 PM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here's my Combo Fix:

ComboFix 08-08-28.04 - Owner 2008-08-28 22:36:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1227 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Bendrix\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Bendrix\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\NV36685592.TMP
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\nvapps.nvb
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\#SharedObjects\LPSY5EPE\bin.clearspring.com
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\#SharedObjects\LPSY5EPE\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\#SharedObjects\LPSY5EPE\interclick.com
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\#SharedObjects\LPSY5EPE\interclick.com\ud.sol
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner.Bendrix\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\nvapps.nvb
C:\WINDOWS\system32\vsdatant.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VSDATANT
-------\Service_vsdatant


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-26 18:15 . 2008-08-26 18:15 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\InstallShield Installation Information
2008-08-26 18:00 . 2008-08-26 18:00 <DIR> d-------- C:\Program Files\Unreal Tournament 3
2008-08-25 17:30 . 2008-08-25 17:30 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\InstallShield
2008-08-25 17:30 . 2007-03-20 19:05 73,728 --a------ C:\WINDOWS\system32\Diamondback.cpl
2008-08-25 17:09 . 2008-08-25 17:30 <DIR> d-------- C:\Program Files\Razer
2008-08-25 17:09 . 2004-12-16 22:52 53,248 --a------ C:\WINDOWS\system32\razer.cpl
2008-08-25 17:09 . 2005-04-24 22:43 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-08-24 16:34 . 2008-08-24 16:34 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-24 01:11 . 2008-08-24 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-23 03:50 . 2008-08-23 03:50 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-23 01:14 . 2008-08-23 01:15 <DIR> d-------- C:\Program Files\RivaTuner v2.09
2008-08-23 01:14 . 2008-08-23 01:14 <DIR> d-------- C:\Program Files\RivaTuner
2008-08-22 18:28 . 2008-08-22 18:30 <DIR> d-------- C:\WINDOWS\NV36685592.TMP
2008-08-22 17:44 . 2008-08-22 18:30 <DIR> d-------- C:\WINDOWS\nview
2008-08-22 17:44 . 2008-05-16 11:48 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-08-22 17:44 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-22 17:44 . 2008-08-28 17:27 181,718 --a------ C:\WINDOWS\system32\nvapps.xml
2008-08-22 17:44 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-21 23:51 . 2008-08-23 20:50 <DIR> d---s---- C:\Program Files\HLSW
2008-08-21 23:51 . 2008-08-23 20:50 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\HLSW
2008-08-20 19:29 . 2008-08-20 19:29 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\SmartFTP
2008-08-20 19:28 . 2008-08-20 19:28 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-08-20 19:28 . 2008-08-20 19:28 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-08-19 07:07 . 2008-08-19 07:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 07:07 . 2008-08-19 07:07 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\Malwarebytes
2008-08-19 07:07 . 2008-08-19 07:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-19 07:07 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-19 07:07 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 05:58 . 2008-08-19 05:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 05:58 . 2008-08-19 05:58 <DIR> d-------- C:\Documents and Settings\Owner.Bendrix\Application Data\SUPERAntiSpyware.com
2008-08-19 05:58 . 2008-08-19 05:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 05:52 . 2008-08-19 07:07 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-19 05:52 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-08-17 19:58 . 2008-08-17 19:58 <DIR> d-------- C:\EbuDllTmpDir
2008-08-17 19:40 . 2008-08-17 19:46 <DIR> d-------- C:\cabs
2008-08-13 03:50 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 03:49 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 19:24 . 2008-08-12 19:24 <DIR> d-------- C:\Program Files\7-Zip
2008-08-09 20:07 . 2008-08-09 20:07 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-06 02:36 . 2008-08-13 19:52 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-08-05 19:26 . 2008-08-05 19:26 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 01:08 --------- d-----w C:\Program Files\Steam
2008-08-28 05:24 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\Xfire
2008-08-25 22:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-25 01:02 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\uTorrent
2008-08-24 21:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-23 22:08 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\LimeWire
2008-08-23 03:33 --------- d-----w C:\Program Files\World of Warcraft
2008-08-22 23:24 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-08-22 23:24 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\SystemRequirementsLab
2008-08-21 04:56 --------- d-----w C:\Program Files\Xfire
2008-08-19 10:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-19 01:59 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-18 00:59 29,708 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-18 00:59 14,017,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-14 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-14 08:02 --------- d-----w C:\Program Files\Microsoft Works
2008-08-14 01:09 --------- d-----w C:\Program Files\GetRight
2008-08-14 00:51 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-08-13 21:04 --------- d-----w C:\Program Files\LimeWire
2008-08-07 08:21 --------- d-----w C:\Program Files\PokerStars.NET
2008-08-04 09:52 --------- d-----w C:\Program Files\DivX
2008-08-02 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-07-22 06:33 --------- d-----w C:\Program Files\Bits N Bytes
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-03 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-01 04:38 --------- d-----w C:\Program Files\Red Kawa
2008-06-29 07:29 --------- d-----w C:\Documents and Settings\Owner.Bendrix\Application Data\DivX
.

((((((((((((((((((((((((((((( snapshot@2008-08-25_ 4.29.21.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-24 21:56:52 10,134 ----a-r C:\WINDOWS\Installer\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\ARPPRODUCTICON.exe
+ 2008-08-26 23:15:22 10,134 ----a-r C:\WINDOWS\Installer\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\ARPPRODUCTICON.exe
+ 2008-04-13 18:45:26 36,864 -c--a-w C:\WINDOWS\system32\dllcache\hidclass.sys
+ 2008-04-13 18:45:22 24,960 -c--a-w C:\WINDOWS\system32\dllcache\hidparse.sys
+ 2008-04-13 18:45:28 10,368 -c--a-w C:\WINDOWS\system32\dllcache\hidusb.sys
- 2008-04-13 18:45:27 10,368 ----a-w C:\WINDOWS\system32\drivers\hidusb.sys
+ 2008-04-13 18:45:28 10,368 ----a-w C:\WINDOWS\system32\drivers\hidusb.sys
+ 2008-04-14 00:11:54 20,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\i386\hid.dll
+ 2008-04-13 18:45:26 36,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\i386\hidclass.sys
+ 2008-04-13 18:45:22 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\i386\hidparse.sys
+ 2008-04-13 18:45:28 10,368 ----a-w C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\i386\hidusb.sys
+ 2005-04-25 03:43:58 13,225 ----a-w C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\Razerlow.sys
- 2008-08-25 08:53:34 535,372 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-08-29 02:34:48 535,372 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-08-23 21:50:35 9,584,295 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-08-28 22:09:01 9,668,056 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2008-08-06 00:42:06 8,828,416 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-08-28 22:11:12 8,828,416 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-08-29 03:50:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 15:49 68856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 09:15 151552]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 11:54 303104]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 21:10 375296]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 15:34 9134080]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 02:05 217088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 13:25 2707456]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15 147456]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 19:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-03-25 05:59:00 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-03-25 05:56 303616]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.Bendrix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner.Bendrix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.Bendrix^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Owner.Bendrix\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-15 19:30 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 18:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-08-21 16:33 1271032 c:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-07-09 09:05 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Steam\\steamapps\\mikel6666\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\mikel6666\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);C:\WINDOWS\system32\DRIVERS\xcbda.sys [2006-06-27 13:57]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
S3 PciCon;PciCon;E:\PciCon.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 22:51:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\searchindexer.exe
.
**************************************************************************
.
Completion time: 2008-08-28 23:07:13 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-29 04:07:09
ComboFix2.txt 2008-08-25 09:31:49

Pre-Run: 148,824,207,360 bytes free
Post-Run: 148,821,602,304 bytes free

282 --- E O F --- 2008-08-19 01:59:03
  • 0

#14
Bendrix
Posted 28 August 2008 - 10:21 PM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
And my Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:51 PM, on 28/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Razer\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10170 bytes
  • 0

#15
Bendrix
Posted 28 August 2008 - 10:22 PM

Bendrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Oh and my computer seems to be booting normally now! :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP