Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with 007guard [RESOLVED]


  • This topic is locked This topic is locked

#1
Subroto

Subroto

    Member

  • Member
  • PipPip
  • 13 posts
So I have this guy who is hacking me somehow I dunno how. The only communication I have had with him is through msn and he seems to be able to obtain my ip and disable my keyboard and log me out of msn. I looked at netstat and there are a bunch of connections from 007guard and was wondering if it has something to do with my little dilemma. So if anyone could help it would be greatly appreciated. Posting HJT log and security programs I am running.


I am running Avast! anti-virus, Spybot Search & Destroy, and windows firewall. These programs combined does not seem to be able to detect the viruses/trojans. Please help! Thank You.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:54 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\ShortKeys2\shklite.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193465056217
O16 - DPF: {68459DB3-59C9-449D-815B-65F729385C16} (VoiceSecure Control) - http://www.iraqvoice.com/vs264.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193483205968
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.dmv.ca.go...hmpg/spacer.gif
O24 - Desktop Component 2: (no name) - http://www.google.com/

--
End of file - 10496 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Subroto

Subroto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello, thank you for the reply, here is a fresh HJT log and the combofix log. Sorry for the delay.

Combofix:

ComboFix 08-08-21.02 - Owner 2008-08-23 1:05:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1256.966.1033.18.1018 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\RAFAZJ4J\interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\RAFAZJ4J\interclick.com\ud.sol
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\2.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drmgs.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_perfmons
-------\Service_Routing


((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-21 23:21 . 2008-08-21 23:21 244 --ah----- C:\sqmnoopt08.sqm
2008-08-21 23:21 . 2008-08-21 23:21 232 --ah----- C:\sqmdata08.sqm
2008-08-21 23:09 . 2008-08-21 23:09 268 --ah----- C:\sqmdata07.sqm
2008-08-21 23:09 . 2008-08-21 23:09 244 --ah----- C:\sqmnoopt07.sqm
2008-08-21 23:07 . 2008-08-21 23:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Windows Desktop Search
2008-08-21 23:07 . 2008-08-21 23:07 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Logitech
2008-08-21 22:32 . 2008-08-21 22:32 244 --ah----- C:\sqmnoopt06.sqm
2008-08-21 22:32 . 2008-08-21 22:32 232 --ah----- C:\sqmdata06.sqm
2008-08-21 22:30 . 2008-08-21 22:30 244 --ah----- C:\sqmnoopt05.sqm
2008-08-21 22:30 . 2008-08-21 22:30 232 --ah----- C:\sqmdata05.sqm
2008-08-21 22:25 . 2008-08-21 22:25 244 --ah----- C:\sqmnoopt04.sqm
2008-08-21 22:25 . 2008-08-21 22:25 232 --ah----- C:\sqmdata04.sqm
2008-08-21 22:12 . 2002-07-26 21:24 <DIR> d-------- C:\Documents and Settings\TEMP\WINDOWS
2008-08-21 22:12 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\VERITAS
2008-08-21 22:12 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Symantec
2008-08-21 22:12 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Share-to-Web Upload Folder
2008-08-21 22:12 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InterTrust
2008-08-21 22:12 . 2008-08-21 22:12 <DIR> d-------- C:\Documents and Settings\TEMP
2008-08-21 16:55 . 2008-08-21 16:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-21 16:38 . 2008-08-21 16:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-21 16:32 . 2008-08-21 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-21 04:23 . 2008-08-21 04:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Windows Search
2008-08-20 15:09 . 2008-08-20 15:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
2008-08-20 15:08 . 2008-08-20 15:08 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-20 15:08 . 2008-08-20 15:08 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-20 15:05 . 2008-03-07 10:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-20 15:05 . 2008-03-07 10:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-20 15:05 . 2008-03-07 10:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-20 13:27 . 2008-08-21 23:08 <DIR> d-------- C:\Program Files\Visioneer OneTouch
2008-08-15 19:36 . 2008-08-15 19:36 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\Logitech
2008-08-13 20:32 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 20:31 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 02:00 . 2008-08-12 02:00 <DIR> d-------- C:\Program Files\HyCam2
2008-08-10 23:30 . 2008-08-10 23:30 <DIR> d-------- C:\Program Files\MusicBrainz Picard
2008-08-10 23:23 . 2008-08-10 23:25 <DIR> d-------- C:\Program Files\Cloudbrain
2008-08-10 22:56 . 2003-01-27 14:27 94,208 --a------ C:\WINDOWS\system32\wmpuice.dll
2008-08-10 22:56 . 2008-08-11 00:27 69,632 --a------ C:\WINDOWS\cadSSaver.scr
2008-08-10 22:55 . 2008-08-10 22:56 <DIR> d-------- C:\Program Files\CD Art Display
2008-08-10 21:42 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-08-10 21:39 . 2008-08-10 21:41 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-08-10 21:39 . 2008-08-10 21:39 <DIR> d-------- C:\WINDOWS\Logs
2008-08-10 20:58 . 2008-08-10 21:03 5,417 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-08-10 20:45 . 2008-04-13 17:12 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-08-10 16:09 . 2008-08-10 16:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Logitech
2008-08-10 16:08 . 2008-08-10 16:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-08-10 16:06 . 2008-08-10 16:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-08-10 16:06 . 2008-08-10 16:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-08-10 16:05 . 2008-01-09 12:26 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-08-10 16:05 . 2008-01-09 12:27 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-08-10 16:05 . 2008-01-09 12:28 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-08-10 16:05 . 2008-01-09 12:28 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-08-10 16:05 . 2008-01-09 12:28 76,304 --a------ C:\WINDOWS\system32\KemXML.dll
2008-08-10 16:04 . 2008-08-10 16:04 <DIR> d-------- C:\Program Files\Logitech
2008-08-10 16:04 . 2008-08-10 16:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-08-10 16:04 . 2008-08-10 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-08-10 16:04 . 2008-08-10 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-10 02:30 . 2008-08-10 16:07 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-08-10 02:07 . 2003-12-12 16:06 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2008-08-10 02:07 . 2003-11-04 15:11 155,648 --a------ C:\WINDOWS\system32\lftif13n.dll
2008-08-10 02:07 . 2003-11-04 15:10 98,304 --a------ C:\WINDOWS\system32\lffax13n.dll
2008-08-10 02:07 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-08-09 04:58 . 2008-08-09 04:58 110 --a------ C:\WINDOWS\GMouse.ini
2008-08-07 13:56 . 2008-08-07 16:24 24 --a------ C:\Documents and Settings\Delila\jagex_runescape_preferences.dat
2008-08-07 13:41 . 2008-08-07 13:41 25 --a------ C:\WINDOWS\cdplayer.ini
2008-08-07 13:39 . 2008-08-07 13:39 <DIR> d-------- C:\Program Files\Real
2008-08-07 13:39 . 2008-08-07 13:39 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-07 13:39 . 2008-08-07 13:39 <DIR> d-------- C:\Program Files\Common Files\Real
2008-08-07 12:52 . 2008-08-07 13:20 <DIR> d-------- C:\Documents and Settings\Delila\Contacts
2008-08-07 12:34 . 2008-08-07 12:34 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\Apple Computer
2008-08-07 12:24 . 2008-08-07 12:24 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\NCH Swift Sound
2008-08-07 12:14 . 2008-08-07 12:14 268 --ah----- C:\sqmdata03.sqm
2008-08-07 12:14 . 2008-08-07 12:14 244 --ah----- C:\sqmnoopt03.sqm
2008-08-07 11:17 . 2002-07-26 21:24 <DIR> d-------- C:\Documents and Settings\Delila\WINDOWS
2008-08-07 11:17 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\VERITAS
2008-08-07 11:17 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\Symantec
2008-08-07 11:17 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\Share-to-Web Upload Folder
2008-08-07 11:17 . 2002-07-26 21:23 <DIR> d-------- C:\Documents and Settings\Delila\Application Data\InterTrust
2008-08-07 11:17 . 2008-08-07 20:06 <DIR> d-------- C:\Documents and Settings\Delila
2008-08-05 16:57 . 2008-08-13 18:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-05 16:57 . 2008-08-05 16:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-05 16:50 . 2008-08-05 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-08-05 16:49 . 2008-08-05 16:49 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-05 16:46 . 2008-08-05 16:46 <DIR> d-------- C:\WINDOWS\yellowtail
2008-08-05 16:46 . 2008-08-16 22:13 <DIR> d-------- C:\Program Files\HP
2008-08-05 16:46 . 2007-11-06 19:04 1,373,528 -ra------ C:\WINDOWS\hpzshl01.exe
2008-08-05 16:46 . 2007-11-06 19:15 1,140,056 -ra------ C:\WINDOWS\hpzmsi01.exe
2008-08-05 16:46 . 2008-01-07 07:10 10,563 -ra------ C:\WINDOWS\hpwscr19.dat
2008-08-05 16:41 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-05 16:41 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-05 16:40 . 2008-08-05 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-08-05 16:38 . 2007-11-05 19:07 118,272 --a------ C:\WINDOWS\system32\hpz3l5mu.dll
2008-08-05 16:33 . 2007-01-17 09:37 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-05 16:29 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-05 16:29 . 2008-04-13 11:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-04 18:44 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-04 18:11 . 2008-08-04 18:11 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 18:11 . 2008-08-04 18:11 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 18:11 . 2008-08-04 18:11 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-04 18:00 . 2008-08-20 15:07 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-04 17:06 . 2008-04-13 17:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-04 17:04 . 2008-04-13 17:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-04 17:03 . 2008-04-13 17:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-08-04 17:03 . 2008-04-13 17:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-04 17:03 . 2008-04-13 17:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-08-04 04:14 . 2008-08-21 16:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-04 04:14 . 2008-08-21 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 04:11 . 2008-08-04 04:11 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-04 03:54 . 2008-08-04 03:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-04 03:50 . 2008-08-04 03:53 <DIR> d-------- C:\Program Files\CCleaner
2008-07-29 13:04 . 2008-07-31 16:08 <DIR> d-------- C:\Program Files\StepMania
2008-07-24 17:13 . 2008-08-22 02:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-24 17:13 . 2008-07-24 17:13 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-24 17:12 . 2008-08-22 02:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-07-24 17:09 . 2008-07-24 20:48 <DIR> d-------- C:\Program Files\Skype
2008-07-24 17:09 . 2008-07-24 17:09 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-07-24 17:09 . 2008-07-24 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-24 12:07 . 2008-07-24 12:07 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 18:19 24 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2008-08-16 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-13 05:50 --------- d-----w C:\Program Files\SwiftKit
2008-08-11 04:03 71,921 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-08-10 23:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 19:49 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-07 19:46 --------- d-----w C:\Program Files\Windows Live
2008-08-07 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-07 19:35 --------- d-----w C:\Program Files\iTunes
2008-08-07 19:32 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-08-07 19:25 --------- d-----w C:\Program Files\Scansoft
2008-08-07 19:25 --------- d-----w C:\Program Files\Common Files\scansoft shared
2008-08-07 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-08-07 19:18 --------- d-----w C:\Program Files\Yahoo!
2008-08-01 06:40 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-07-18 19:13 --------- d-----w C:\Program Files\S3
2008-07-16 18:05 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-16 18:05 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-07-16 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\SwiftKit
2008-07-15 05:01 --------- d-----w C:\Program Files\Java
2008-07-12 17:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-12 05:58 --------- d-----w C:\Program Files\Xvid
2008-07-12 05:34 --------- d-----w C:\Program Files\NCH Software
2008-07-12 05:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-12 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-12 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-12 04:57 --------- d-----w C:\Program Files\Final Fantasy VII
2008-07-08 09:22 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-07-08 09:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-08 06:45 --------- d-----w C:\Program Files\All Mobile
.

------- Sigcheck -------

2008-04-13 17:12 975872 561a50497324f378e30f55d09b4e1258 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2008-04-13 17:12 975872 561a50497324f378e30f55d09b4e1258 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2007-07-30 19:19 68440 84d9a61860272d6177d46c86b8431557 C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe
2007-07-30 19:19 68440 84d9a61860272d6177d46c86b8431557 C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-08-13 01:50 5724184]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 08:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-18 23:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 03:29 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 03:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 16:39 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 10:25 45108]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 10:50 36864]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-07 13:39 185896]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2003-08-18 07:12 94208]
"nwiz"="nwiz.exe" [2002-05-03 17:06 364544 C:\WINDOWS\system32\nwiz.exe]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 17:12 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-10 16:05:42 789008]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4019:UDP"= 4019:UDP:Windows Media Format SDK (Indt2.sys)
"4018:UDP"= 4018:UDP:Windows Media Format SDK (Indt2.sys)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R3 GT680xNT;Visioneer OneTouch 7300 Driver;C:\WINDOWS\system32\drivers\gt680x.sys [2003-08-29 14:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t6c1fb1l.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 01:13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-08-23 1:24:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 08:24:25

Pre-Run: 36,776,521,728 bytes free
Post-Run: 37,490,929,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

301 --- E O F --- 2008-08-16 19:55:08


HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:34 AM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193465056217
O16 - DPF: {68459DB3-59C9-449D-815B-65F729385C16} (VoiceSecure Control) - http://www.iraqvoice.com/vs264.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193483205968
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.dmv.ca.go...hmpg/spacer.gif
O24 - Desktop Component 2: (no name) - http://www.google.com/

--
End of file - 9918 bytes


Thanks for helping me.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#5
Subroto

Subroto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the Kaspersky Online test log you have requested.

KOT Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 23, 2008 13:54:09
Records in database: 1133192
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Files scanned: 78696
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:44:45


File name / Threat name / Threats count
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\180244.exe Infected: not-a-virus:AdWare.Win32.OneStep.c 1
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\180244.exe Infected: not-a-virus:AdWare.Win32.Relevant.a 1
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\180244.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\swiftswitch(install).exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1
C:\WINDOWS\system32\ndt.sys Infected: Trojan-Downloader.Win32.Delf.hpa 1
C:\WINDOWS\system32\ndt2.sys Infected: Trojan-Downloader.Win32.Delf.hpa 1

The selected area was scanned.
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\180244.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\180244.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\180244.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\swiftswitch(install).exe
C:\WINDOWS\system32\ndt.sys
C:\WINDOWS\system32\ndt2.sys

Folder::

DirLook::
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads


Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#7
Subroto

Subroto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It seems that the forum would not let me post a log that big I will post it as an attachment. (ComboFix Log Attached)

Here is the mbam-Log:

Malwarebytes' Anti-Malware 1.25
Database version: 1080
Windows 5.1.2600 Service Pack 3

7:57:50 PM 8/24/2008
mbam-log-08-24-2008 (19-57-50).txt

Scan type: Quick Scan
Objects scanned: 54791
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by Subroto, 24 August 2008 - 09:05 PM.

  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Download OTCleanIt to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
Subroto

Subroto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi, thank you so much for your help it seems that 007guard is not making any more connections and I was wondering if you would personally recommend any anti-virus/malware program that would be good to run. I am running avast and spybot s&d for right now. If those are good programs then great! Thank you again for your help.
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Avast is very good, my preference is Avira though. That is very effective against new malware. However if you like Avast then stick with that

Remove Spybot and keep MBAM instead, it is far superior


As for firewall, my preference is for Comodo, it is the best :)
  • 0

#11
Subroto

Subroto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Do you know if there are any free antivirus programs thats decent?
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Avira is free and my favourite

http://www.free-av.com

As is Comodo
  • 0

#13
Subroto

Subroto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok I have installed and running: Avira, Comodo, and Mbam. Thank you for your help I really appreciate it.
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP