Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Continous BSOD + Various more problems [CLOSED]

Started by ulti , Aug 23 2008 04:27 PM

  • This topic is locked This topic is locked

#1
ulti
Posted 23 August 2008 - 04:27 PM

ulti

    Member

  • Member
  • PipPip
  • 12 posts
http://www.geekstogo...85#entry1290185


to make this short i apparently have been having the same problems as the person above has stated in.

Such as BSOD screens that are all different such as these and a few more that are not listed.

BAD_POOL_HEADER
Stop: 0x00000019

PANIC_STACK_SWITCH
Stop: 0x0000002B

BOGUS_DRIVER
Stop: 0x00000099

UNEXPECTED_KERNAL_MODE_TRAP
Stop: 0x0000007F

PAGE_FAULT_IN_NONPAGED_AREA
Stop: 0x00000050


Also i apparently have my desktop background continously changed to a blue screen with a big box in the middle telling me to

get antispyware or antivirus.

So.... i was wondering if i could get some help?
  • 0

Advertisements

#2
Blade81
Posted 31 August 2008 - 12:03 PM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi ulti

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
  • 0

#3
Blade81
Posted 06 September 2008 - 06:58 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
Blade81
Posted 14 September 2008 - 05:20 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Topic re-opened upon user's request.
  • 0

#5
ulti
Posted 14 September 2008 - 09:19 AM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is the Hijackthis report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:49, on 2008-09-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.yahoo.com.cn/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07F54D26-6DD1-1746-CC42-EC74F8DBE04C} - C:\WINDOWS\system32\iefn32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [addbb32.exe] C:\WINDOWS\system32\addbb32.exe
O4 - HKLM\..\Run: [v0zGjJ] C:\documents and settings\owner\local settings\temp\v0zGjJ.exe
O4 - HKLM\..\Run: [winws.exe] C:\WINDOWS\system32\winws.exe
O4 - HKLM\..\Run: [wLXi] C:\documents and settings\owner\local settings\temp\wLXi.exe
O4 - HKLM\..\Run: [mswn32.exe] C:\WINDOWS\system32\mswn32.exe
O4 - HKLM\..\Run: [netij32.exe] C:\WINDOWS\system32\netij32.exe
O4 - HKLM\..\Run: [javaed.exe] C:\WINDOWS\system32\javaed.exe
O4 - HKLM\..\Run: [KIiSvib] C:\documents and settings\owner\local settings\temp\KIiSvib.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sdknw.exe] C:\WINDOWS\system32\sdknw.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [eeypkf] c:\windows\system32\tasgpc.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [{a8f70898-2302-f331-85c0-8feafc52bd03}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\vbsutiuvuk.dll" DllStart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [lphcvflj0eta5] C:\WINDOWS\system32\lphcvflj0eta5.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: ???? - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: VeryCDËÑË÷ - C:\Program Files\YOK.com\SuperSearch\yoksch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: YOK³¬¼¶ËÑË÷ - C:\PROGRA~1\yok\yoksch.htm
O8 - Extra context menu item: ʹÓÃPCDownloaderÏÂÔØ - C:\Program Files\PCDownloader\PCDownloader.htm
O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: YOK³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - http://www.yok.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.forummotion.com
O15 - Trusted Zone: http://global.hidden-street.net
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble...MStarterJP6.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguar...ion/Install.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/a...ic_new/nxpm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {43911577-D383-44BF-B4B5-571AB61F045F} (MAWS Class) - http://www.koreacont...allCommon02.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124068282078
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarbl...l/NMJTransX.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...eb.2007.4.4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares....LauncherNew.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimd...lidstateion.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://member.hangam...anSetup1009.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.trickster...sterActiveX.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupga...crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.trickster...utComponent.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload....Plugin10USA.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfin.../WindyGSPAx.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://cache10.itv.m...0.88_signed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{53BF5ECF-6CF8-42A4-A278-EBD7DA2C8C61}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBFF62AE-D80D-43CE-84EE-FE2E9198C0E2}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O20 - Winlogon Notify: winstart - winstart.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://67.18.37.16/2...pload/av-49.gif

--
End of file - 16043 bytes
  • 0

#6
ulti
Posted 14 September 2008 - 09:19 AM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Eww double post.

Edited by ulti, 14 September 2008 - 09:20 AM.

  • 0

#7
Blade81
Posted 14 September 2008 - 10:06 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi


You may want to print out these instructions for reference, since you
will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make
sure Run fixit is checked and click Finish. The fix will
begin; follow the prompts. You will be asked to reboot your computer;
please do so. Your system may take longer than usual to load; this is
normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt


Then continue by following steps below.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
  • 0

#8
ulti
Posted 14 September 2008 - 12:48 PM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is the fixwareout log

Username "Owner" - 2008-09-14 13:22:51 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdbca.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.77 85.255.112.159" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{53BF5ECF-6CF8-42A4-A278-EBD7DA2C8C61}
"nameserver"="85.255.115.77,85.255.112.159" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DBFF62AE-D80D-43CE-84EE-FE2E9198C0E2}
"nameserver"="85.255.115.77,85.255.112.159" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2D5C8792-1B13-41D5-AAB6-51483AA699BD}
"DhcpNameServer"="85.255.115.77,85.255.112.159" <Value cleared.

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"addbb32.exe"="C:\\WINDOWS\\system32\\addbb32.exe"
"v0zGjJ"="C:\\documents and settings\\owner\\local settings\\temp\\v0zGjJ.exe"
"winws.exe"="C:\\WINDOWS\\system32\\winws.exe"
"wLXi"="C:\\documents and settings\\owner\\local settings\\temp\\wLXi.exe"
"mswn32.exe"="C:\\WINDOWS\\system32\\mswn32.exe"
"netij32.exe"="C:\\WINDOWS\\system32\\netij32.exe"
"javaed.exe"="C:\\WINDOWS\\system32\\javaed.exe"
"KIiSvib"="C:\\documents and settings\\owner\\local settings\\temp\\KIiSvib.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"sdknw.exe"="C:\\WINDOWS\\system32\\sdknw.exe"
"LTMSG"="LTMSG.exe 7"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"eeypkf"="c:\\windows\\system32\\tasgpc.exe"
"YLive.exe"="C:\\PROGRA~1\\Yahoo!\\ASSIST~1\\YLive.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="\"C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe\" /SYNC"
"PHIME2002ASync"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE\" /SYNC"
"PHIME2002A"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE\" /IMEName"
"{a8f70898-2302-f331-85c0-8feafc52bd03}"="C:\\WINDOWS\\System32\\Rundll32.exe \"C:\\WINDOWS\\system32\\vbsutiuvuk.dll\" DllStart"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"lphcvflj0eta5"="C:\\WINDOWS\\system32\\lphcvflj0eta5.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /0"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~



llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
llllllllllllllllllllll



This is the combofix log

ComboFix 08-09-13.05 - Owner 2008-09-14 13:54:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp1.tmp
C:\Documents and Settings\Owner\cookies\[email protected][3].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\owner@turn[2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Program Files\Mozilla Firefox\components\nsBrowserGal.dll
C:\Program Files\yahoo!\assist~1
C:\Program Files\yahoo!\assist~1\Assist\CoolBar\prodef.ini
C:\Program Files\yahoo!\assist~1\Assist\CoolBar\profile.ini
C:\Program Files\yahoo!\assist~1\Assist\Images\adkiller.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\alert.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\alertnew.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\anitvirus.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\assist.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\clear.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\custheme.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\daoyan3.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\gouwu.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\hilight.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\iefix.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\logo.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\music.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\musiclink.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\musictop.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\picture.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\search.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\searchtop.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\settings.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\Thumbs.db
C:\Program Files\yahoo!\assist~1\Assist\Images\yphtb.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\yrss.bmp
C:\Program Files\yahoo!\assist~1\Assist\profile\1.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\10.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\11.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\13.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\14.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\15.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\16.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\17.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\18.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\19.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\20.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\22.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\23.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\3.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\6.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\7.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\8.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\9.gif
C:\Program Files\yahoo!\assist~1\Assist\profile\profile.xml
C:\Program Files\yahoo!\assist~1\Assist\SearchBar\prodef.ini
C:\Program Files\yahoo!\assist~1\Assist\SearchBar\profile.ini
C:\Program Files\yahoo!\assist~1\Assist\SecurityBar\prodef.ini
C:\Program Files\yahoo!\assist~1\Assist\SecurityBar\profile.ini
C:\Program Files\yahoo!\assist~1\Assist\Update\filter.ini
C:\Program Files\yahoo!\assist~1\Shell\ysp.exe
C:\Program Files\yahoo!\assist~1\yal01.dat
C:\Program Files\yahoo!\assist~1\yalive.dll
C:\Program Files\yahoo!\assist~1\yalive.dll.1.log
C:\Program Files\yahoo!\assist~1\yalive.dll.2.log
C:\Program Files\yahoo!\assist~1\yalive.ini
C:\Program Files\yahoo!\assist~1\yalive3.ini
C:\Program Files\yahoo!\assist~1\yalliveex.dll
C:\Program Files\yahoo!\assist~1\yalvsw.ini
C:\Program Files\yahoo!\assist~1\yalvsw3.ini
C:\Program Files\yahoo!\assist~1\yhelper.dll
C:\Program Files\yahoo!\assist~1\yhelperup.dll
C:\Program Files\yahoo!\assist~1\ylive.exe
C:\Program Files\yahoo!\assist~1\ynotifier.dll
C:\Program Files\yahoo!\assist~1\yscrblock.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\phcvflj0eta5.bmp
C:\WINDOWS\Sysvxd.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CNSMINKP
-------\Legacy_XPROTECTOR
-------\Service_CnsMinKP
-------\Service_XPROTECTOR


((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.

2008-09-14 13:22 . 2008-09-14 13:29 <DIR> d-------- C:\fixwareout
2008-09-14 00:46 . 2008-09-14 00:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 01:01 . 2008-08-25 01:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-20 22:31 . 2008-08-20 22:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-17 00:31 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\SpeedFan
2008-08-17 00:31 . 2008-08-17 00:31 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-16 01:32 . 2008-08-25 00:45 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-08-16 01:32 . 2008-08-16 01:32 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-16 01:32 . 2006-11-24 10:19 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-08-14 12:05 . 2008-08-14 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-08-14 12:05 . 2007-10-30 05:25 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-14 12:05 . 2007-10-30 05:25 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-14 12:04 . 2007-10-30 05:22 970,752 -ra------ C:\WINDOWS\system32\hpotiop6.dll
2008-08-14 12:04 . 2007-10-30 05:22 729,088 -ra------ C:\WINDOWS\system32\hpowiax8.dll
2008-08-14 12:04 . 2007-10-30 05:25 372,736 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-08-14 12:04 . 2007-10-30 05:25 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-08-14 12:04 . 2007-10-30 05:22 303,104 -ra------ C:\WINDOWS\system32\hpovst14.dll
2008-08-14 12:04 . 2008-02-11 23:49 271,704 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-08-14 12:04 . 2008-02-07 10:26 118,272 --a------ C:\WINDOWS\system32\hpz3l5mu.dll
2008-08-14 12:04 . 2007-10-30 05:25 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-14 12:04 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-14 12:04 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 17:57 --------- d-----w C:\Program Files\Yahoo!
2008-09-07 16:50 --------- d-----w C:\Program Files\Java
2008-08-25 04:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-23 23:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-08 05:46 --------- d-----w C:\Program Files\PCDownloader
2008-08-08 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 00:37 --------- d-----w C:\Program Files\DivX
2008-07-30 04:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-30 04:14 --------- d-----w C:\Program Files\Logitech
2008-07-30 04:13 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-30 03:52 --------- d-----w C:\Program Files\Quicken
2008-07-29 14:06 --------- d-----w C:\Program Files\Apple Software Update
2008-07-23 16:50 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-23 16:50 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-23 16:50 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-05 18:21 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-18 12:55 396 ----a-w C:\Program Files\INSTALL.LOG
2006-02-10 01:05 72 ----a-w C:\Program Files\UnInst.log
2006-01-26 05:58 264 ----a-w C:\Program Files\patch_malaysia_eng_openbeta.cfg
2005-12-04 19:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-11-19 04:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-12-03 23:39 4 ----a-w C:\Program Files\index.tmp
2004-06-23 18:55 20,480 ----a-w C:\Program Files\ProcManager.exe
2005-01-19 16:32 3,547 --sha-w C:\WINDOWS\cikpw.dat
2005-04-09 02:10 4,080 --sha-w C:\WINDOWS\system32\ateb_3pacsenur.dat
2005-01-13 22:06 3,537 --sha-w C:\WINDOWS\system32\owgvb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2007-10-01 3567928]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 61440]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-12 180269]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-08-16 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-08-15 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-08-15 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-08-15 455168]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]
"LTMSG"="LTMSG.exe" [2004-12-09 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2004-01-27 557056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^V CAST Music Monitor.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\V CAST Music Monitor.lnk
backup=C:\WINDOWS\pss\V CAST Music Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 16:51 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-08-21 07:15 483328 C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 07:23 49152 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2003-11-03 20:50 221184 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-01-26 06:24 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-12 01:53 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 12:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-11-13 16:48 3411968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2004-12-09 15:37 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Blitz 1941 Global\\BlitzClient2.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"27297:TCP"= 27297:TCP:BitComet 27297 TCP
"27297:UDP"= 27297:UDP:BitComet 27297 UDP
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager
"62998:TCP"= 62998:TCP:SolidNetworkManager
"62998:UDP"= 62998:UDP:SolidNetworkManager
"30151:TCP"= 30151:TCP:SolidNetworkManager
"30151:UDP"= 30151:UDP:SolidNetworkManager
"11815:TCP"= 11815:TCP:BitComet 11815 TCP
"11815:UDP"= 11815:UDP:BitComet 11815 UDP
"45010:TCP"= 45010:TCP:*:Disabled:SolidNetworkManager
"45010:UDP"= 45010:UDP:*:Disabled:SolidNetworkManager
"6112:TCP"= 6112:TCP:warcraft 3 customgames

R0 hkssnizl;hkssnizl;C:\WINDOWS\system32\DRIVERS\hkssnizl.sys [2007-07-11 11192]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
R2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 22912]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [ ]
S3 npkycryp;npkycryp;C:\Nexon\Mabinogi\npkycryp.sys [ ]
S3 vcddev;VCD VNC Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vcdvnic.sys [2006-03-09 13312]
S3 XDva030;XDva030;C:\WINDOWS\system32\XDva030.sys [ ]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-addbb32.exe - C:\WINDOWS\system32\addbb32.exe
HKLM-Run-v0zGjJ - C:\documents and settings\owner\local settings\temp\v0zGjJ.exe
HKLM-Run-winws.exe - C:\WINDOWS\system32\winws.exe
HKLM-Run-wLXi - C:\documents and settings\owner\local settings\temp\wLXi.exe
HKLM-Run-mswn32.exe - C:\WINDOWS\system32\mswn32.exe
HKLM-Run-netij32.exe - C:\WINDOWS\system32\netij32.exe
HKLM-Run-javaed.exe - C:\WINDOWS\system32\javaed.exe
HKLM-Run-KIiSvib - C:\documents and settings\owner\local settings\temp\KIiSvib.exe
HKLM-Run-ViewMgr - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
HKLM-Run-sdknw.exe - C:\WINDOWS\system32\sdknw.exe
HKLM-Run-eeypkf - c:\windows\system32\tasgpc.exe
HKLM-Run-ISUSPM Startup - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
HKLM-Run-{a8f70898-2302-f331-85c0-8feafc52bd03} - C:\WINDOWS\system32\vbsutiuvuk.dll
HKLM-Run-lphcvflj0eta5 - C:\WINDOWS\system32\lphcvflj0eta5.exe
Notify-winstart - winstart.dll
MSConfigStartUp-eMuleAutoStart - C:\Program Files\eMule\emule.exe
MSConfigStartUp-LDM - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
MSConfigStartUp-LogitechVideoTray - C:\Program Files\Logitech\Video\LogiTray.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-PostSetupCheck - C:\WINDOWS\system32\cpmsky.dll
MSConfigStartUp-Skype - C:\Program Files\Skype\Phone\Skype.exe
MSConfigStartUp-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4xqhzt5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.atcomet.com/b/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 14:20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-09-14 14:32:10 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-14 18:31:20

Pre-Run: 21,750,607,872 bytes free
Post-Run: 34,247,680,000 bytes free

325 --- E O F --- 2008-09-14 18:02:41

Edited by ulti, 14 September 2008 - 01:26 PM.

  • 0

#9
ulti
Posted 14 September 2008 - 12:48 PM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
another double post =3=

Edited by ulti, 14 September 2008 - 12:50 PM.

  • 0

#10
Blade81
Posted 14 September 2008 - 01:48 PM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi


Disable SpySweeper's realtime protection.
  • Open Spysweeper and click on Options
  • Choose Program Options and uncheck
    load at windows
    startup
    .
  • On the left click
    shields
    and then uncheck everything.
  • Uncheck
    home page shield
    .
  • Uncheck
    automatically restore default without notification
    .
  • Exit the program.


Upload following file to http://www.virustotal.com and post back the results:
C:\WINDOWS\system32\DRIVERS\hkssnizl.sys


Uninstall all Java versions older than Java 6 update 7.


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\index.tmp
C:\Program Files\ProcManager.exe
C:\WINDOWS\cikpw.dat
C:\WINDOWS\system32\owgvb.dat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
  • 0

Advertisements

#11
ulti
Posted 14 September 2008 - 04:09 PM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is the Virustotal report

File prbuqhtr.sys received on 08.09.2008 06:17:32 (CET)
Current status: finished

Result: 3/36 (8.33%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Rootkit.Win32.Agent.aff
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - VirTool:WinNT/Rootkitdrv.BT
NOD32v2 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 4e37a88d3fa05668058cc502772a372f
SHA1: 86620a6db27025a2b1e5fd30b19c0ab61a7af0a0
SHA256: dc4d4a5b5e91eef6bb1ce4d821442b0fa31c39c91a3861059b13f2186f2a4672
SHA512: 23824c66a6ba84ed0dc1c153ad1171ce0f0829616c97864bbe8412ef0cc915358b1df67816f930be
134c1aab120e1e0644891d1de1b54b4bccf7a44080f5edfa
  • 0

#12
ulti
Posted 14 September 2008 - 05:44 PM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is the Combo fix

ComboFix 08-09-14.01 - Owner 2008-09-14 18:16:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\index.tmp
C:\Program Files\ProcManager.exe
C:\WINDOWS\cikpw.dat
C:\WINDOWS\system32\owgvb.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.

2008-09-14 15:47 . 2008-09-14 16:15 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-14 13:22 . 2008-09-14 13:29 <DIR> d-------- C:\fixwareout
2008-09-14 00:46 . 2008-09-14 00:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 01:01 . 2008-08-25 01:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-20 22:31 . 2008-08-20 22:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-17 00:31 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\SpeedFan
2008-08-17 00:31 . 2008-08-17 00:31 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-16 01:32 . 2008-08-25 00:45 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-08-16 01:32 . 2008-08-16 01:32 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-16 01:32 . 2006-11-24 10:19 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-08-14 12:05 . 2008-08-14 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-08-14 12:05 . 2007-10-30 05:25 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-14 12:05 . 2007-10-30 05:25 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-14 12:04 . 2007-10-30 05:22 970,752 -ra------ C:\WINDOWS\system32\hpotiop6.dll
2008-08-14 12:04 . 2007-10-30 05:22 729,088 -ra------ C:\WINDOWS\system32\hpowiax8.dll
2008-08-14 12:04 . 2007-10-30 05:25 372,736 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-08-14 12:04 . 2007-10-30 05:25 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-08-14 12:04 . 2007-10-30 05:22 303,104 -ra------ C:\WINDOWS\system32\hpovst14.dll
2008-08-14 12:04 . 2008-02-11 23:49 271,704 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-08-14 12:04 . 2008-02-07 10:26 118,272 --a------ C:\WINDOWS\system32\hpz3l5mu.dll
2008-08-14 12:04 . 2007-10-30 05:25 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-14 12:04 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-14 12:04 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 21:57 --------- d-----w C:\Program Files\Java
2008-09-14 17:57 --------- d-----w C:\Program Files\Yahoo!
2008-08-25 04:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-23 23:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-08 05:46 --------- d-----w C:\Program Files\PCDownloader
2008-08-08 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 00:37 --------- d-----w C:\Program Files\DivX
2008-07-30 04:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-30 04:14 --------- d-----w C:\Program Files\Logitech
2008-07-30 04:13 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-30 03:52 --------- d-----w C:\Program Files\Quicken
2008-07-29 14:06 --------- d-----w C:\Program Files\Apple Software Update
2008-07-23 16:50 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-23 16:50 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-23 16:50 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-05 18:21 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-18 12:55 396 ----a-w C:\Program Files\INSTALL.LOG
2006-02-10 01:05 72 ----a-w C:\Program Files\UnInst.log
2006-01-26 05:58 264 ----a-w C:\Program Files\patch_malaysia_eng_openbeta.cfg
2005-12-04 19:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-11-19 04:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-04-09 02:10 4,080 --sha-w C:\WINDOWS\system32\ateb_3pacsenur.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-14_14.30.23.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-14 22:23:13 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_560.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 61440]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-12 180269]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-08-16 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-08-15 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-08-15 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-08-15 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LTMSG"="LTMSG.exe" [2004-12-09 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2004-01-27 557056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^V CAST Music Monitor.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\V CAST Music Monitor.lnk
backup=C:\WINDOWS\pss\V CAST Music Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 16:51 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-08-21 07:15 483328 C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 07:23 49152 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2003-11-03 20:50 221184 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-12 01:53 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 12:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-11-13 16:48 3411968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2004-12-09 15:37 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Blitz 1941 Global\\BlitzClient2.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"27297:TCP"= 27297:TCP:BitComet 27297 TCP
"27297:UDP"= 27297:UDP:BitComet 27297 UDP
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager
"62998:TCP"= 62998:TCP:SolidNetworkManager
"62998:UDP"= 62998:UDP:SolidNetworkManager
"30151:TCP"= 30151:TCP:SolidNetworkManager
"30151:UDP"= 30151:UDP:SolidNetworkManager
"11815:TCP"= 11815:TCP:BitComet 11815 TCP
"11815:UDP"= 11815:UDP:BitComet 11815 UDP
"45010:TCP"= 45010:TCP:*:Disabled:SolidNetworkManager
"45010:UDP"= 45010:UDP:*:Disabled:SolidNetworkManager
"6112:TCP"= 6112:TCP:warcraft 3 customgames

R0 hkssnizl;hkssnizl;C:\WINDOWS\system32\DRIVERS\hkssnizl.sys [2007-07-11 11192]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
R2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 22912]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [ ]
S3 npkycryp;npkycryp;C:\Nexon\Mabinogi\npkycryp.sys [ ]
S3 vcddev;VCD VNC Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vcdvnic.sys [2006-03-09 13312]
S3 XDva030;XDva030;C:\WINDOWS\system32\XDva030.sys [ ]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 18:23:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-09-14 18:36:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-14 22:35:50
ComboFix2.txt 2008-09-14 18:32:13

Pre-Run: 33,605,144,576 bytes free
Post-Run: 33,620,299,776 bytes free

216 --- E O F --- 2008-09-14 19:49:19
  • 0

#13
ulti
Posted 14 September 2008 - 07:50 PM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:36 PM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: VeryCDËÑË÷ - C:\Program Files\YOK.com\SuperSearch\yoksch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: YOK³¬¼¶ËÑË÷ - C:\PROGRA~1\yok\yoksch.htm
O8 - Extra context menu item: ʹÓÃPCDownloaderÏÂÔØ - C:\Program Files\PCDownloader\PCDownloader.htm
O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.forummotion.com
O15 - Trusted Zone: http://global.hidden-street.net
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble...MStarterJP6.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/a...ic_new/nxpm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {43911577-D383-44BF-B4B5-571AB61F045F} (MAWS Class) - http://www.koreacont...allCommon02.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124068282078
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarbl...l/NMJTransX.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...eb.2007.4.4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares....LauncherNew.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimd...lidstateion.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://member.hangam...anSetup1009.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.trickster...sterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.trickster...utComponent.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload....Plugin10USA.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7899FAE-51C9-4EF5-B98C-A64997635235} (GSPRunGame Class) - http://www.playinfin.../WindyGSPAx.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://cache10.itv.m...0.88_signed.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - http://67.18.37.16/2...pload/av-49.gif

--
End of file - 12107 bytes
  • 0

#14
Blade81
Posted 15 September 2008 - 08:36 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP

File prbuqhtr.sys received on 08.09.2008 06:17:32 (CET)
Current status: finished

Hi

Did you scan C:\WINDOWS\system32\DRIVERS\hkssnizl.sys file as I asked? The results show prbuqhtr.sys and scan timestamp is days old. Could you please try again (if it says that file has been scanned before select rescan)?
  • 0

#15
ulti
Posted 16 September 2008 - 02:54 PM

ulti

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is the fresh virustotal log

File hkssnizl.sys received on 09.16.2008 22:51:49 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/36 (8.34%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.16 -
AntiVir 7.8.1.28 2008.09.16 -
Authentium 5.1.0.4 2008.09.16 -
Avast 4.8.1195.0 2008.09.16 -
AVG 8.0.0.161 2008.09.16 -
BitDefender 7.2 2008.09.16 -
CAT-QuickHeal 9.50 2008.09.16 -
ClamAV 0.93.1 2008.09.16 -
DrWeb 4.44.0.09170 2008.09.16 -
eSafe 7.0.17.0 2008.09.15 -
eTrust-Vet 31.6.6091 2008.09.16 -
Ewido 4.0 2008.09.16 -
F-Prot 4.4.4.56 2008.09.16 -
F-Secure 8.0.14332.0 2008.09.16 -
Fortinet 3.113.0.0 2008.09.16 -
GData 19 2008.09.16 -
Ikarus T3.1.1.34.0 2008.09.16 Rootkit.Win32.Agent.aff
K7AntiVirus 7.10.458 2008.09.16 -
Kaspersky 7.0.0.125 2008.09.16 -
McAfee 5384 2008.09.16 -
Microsoft 1.3903 2008.09.16 VirTool:WinNT/Rootkitdrv.BT
NOD32v2 3446 2008.09.16 -
Norman 5.80.02 2008.09.16 -
Panda 9.0.0.4 2008.09.16 -
PCTools 4.4.2.0 2008.09.16 -
Prevx1 V2 2008.09.16 -
Rising 20.62.12.00 2008.09.16 -
Sophos 4.33.0 2008.09.16 -
Sunbelt 3.1.1643.1 2008.09.16 -
Symantec 10 2008.09.16 -
TheHacker 6.3.0.9.084 2008.09.15 -
TrendMicro 8.700.0.1004 2008.09.16 -
VBA32 3.12.8.5 2008.09.16 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2008.9.16.1377 2008.09.16 -
VirusBuster 4.5.11.0 2008.09.16 -
Webwasher-Gateway 6.6.2 2008.09.16 -
Additional information
File size: 11192 bytes
MD5...: 4e37a88d3fa05668058cc502772a372f
SHA1..: 86620a6db27025a2b1e5fd30b19c0ab61a7af0a0
SHA256: dc4d4a5b5e91eef6bb1ce4d821442b0fa31c39c91a3861059b13f2186f2a4672
SHA512: 23824c66a6ba84ed0dc1c153ad1171ce0f0829616c97864bbe8412ef0cc91535
8b1df67816f930be134c1aab120e1e0644891d1de1b54b4bccf7a44080f5edfa
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11916
timedatestamp.....: 0x467271dd (Fri Jun 15 11:02:53 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9ee 0xa00 6.25 424c20e382fa08c29134064cee3b2d0b
.rdata 0x2000 0x264 0x400 2.37 b9f1fc13b822743bdaaa7ba4911170ee
.data 0x3000 0x8 0x200 0.08 1fd62ec5648b0294c196045987fa1c25
INIT 0x4000 0x306 0x400 4.24 01f704985f1de453a4f4b55de53c08b9
.rsrc 0x5000 0x26c 0x400 4.00 11d1003cb466aaf4bfafcc40cbcc120c
.reloc 0x6000 0x138 0x200 2.65 5abefdda2fbafee21c0194c8f8f186bf

( 2 imports )
> ntoskrnl.exe: ZwSetValueKey, wcslen, wcscpy, memset, ExAllocatePoolWithTag, ZwQueryValueKey, ZwOpenKey, RtlInitUnicodeString, _except_handler3, IoDeleteDevice, IoUnregisterShutdownNotification, memmove, ZwClose, strlen, strrchr, ZwQuerySystemInformation, IofCompleteRequest, ObfDereferenceObject, ObReferenceObjectByName, IoDriverObjectType, _snwprintf, ZwEnumerateKey, ZwQueryKey, PsSetLoadImageNotifyRoutine, IoRegisterShutdownNotification, IoCreateDevice, wcscmp, MmIsAddressValid, ExFreePool
> HAL.dll: KfLowerIrql, KfRaiseIrql

( 0 exports )

ThreatExpert info: http://www.threatexp...58cc502772a372f
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP