[Resolved] Trojan found but unable to remove

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] Trojan found but unable to remove

Options

mpstar View Member Profile	Oct 7 2008, 05:04 PM Post #1
New Member Group: New Member Posts: 6 Joined: 29-August 08 Member No.: 81,270 Operating System: XP	My antivirus found two trojans but is unable to remove them due to them being unsupported files. Below is my HTJ log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:45:21, on 06/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\SearchProtocolHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://news.bbc.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM') O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user') O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.....;/GAME_UNO1.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- End of file - 10453 bytes

LDTate View Member Profile	Oct 7 2008, 05:50 PM Post #2
Forum God Group: Root Admin Posts: 39,201 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision. Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data. Stay with this topic until I give you the all clean post. You might want to print these instructions out. I suggest you do this: Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. Please do not delete anything unless instructed to. Please download ATF Cleaner by Atribune. Download - ATF Cleaner» Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Next: Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected . When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot. Also "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

mpstar View Member Profile	Oct 7 2008, 06:05 PM Post #3
New Member Group: New Member Posts: 6 Joined: 29-August 08 Member No.: 81,270 Operating System: XP	Malwarebytes' Anti-Malware 1.28 Database version: 1241 Windows 5.1.2600 Service Pack 3 08/10/2008 00:58:57 mbam-log-2008-10-08 (00-58-57).txt Scan type: Quick Scan Objects scanned: 45769 Time elapsed: 2 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ****************************************************************************** ***************************************************************************** ******************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:04:32, on 08/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://news.bbc.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- End of file - 10200 bytes ***************************************************************************** ***************************************************************************** *************** My computer seems to be running fine the only weird thing is sometimes whilst running Firefox, Firefox will close on it own and the computer shuts down (normal shut down not forced)

LDTate View Member Profile	Oct 7 2008, 06:07 PM Post #4
Forum God Group: Root Admin Posts: 39,201 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Download ComboFix from Here or Here to your Desktop. In the event you already have Combofix, this is a new version that I need you to download. It must be saved directly to your desktop. Make sure you are disconnected from the net 1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re enable the protection again afterwards before connecting to the net 2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. IF you have not already done so Combofix will disconnect your machine from the Internet when it starts. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. 3. Now double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze. Give it atleast 20-30 minutes to finish if needed.

mpstar View Member Profile	Oct 7 2008, 06:28 PM Post #5
New Member Group: New Member Posts: 6 Joined: 29-August 08 Member No.: 81,270 Operating System: XP	ComboFix 08-10-07.06 - Visal 2008-10-08 1:18:21.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2583 [GMT 1:00] Running from: C:\Documents and Settings\Visal\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_OREANS32 -------\Service_oreans32 ((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 ))))))))))))))))))))))))))))))) . 2008-10-08 00:55 . 2008-10-08 00:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-08 00:55 . 2008-10-08 00:55 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\Malwarebytes 2008-10-08 00:55 . 2008-10-08 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-08 00:55 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-08 00:55 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-06 21:44 . 2008-10-06 21:44 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-05 22:31 . 2003-07-22 07:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd 2008-10-05 22:31 . 2005-01-05 22:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2008-10-05 21:16 . 2008-10-05 21:16 <DIR> d-------- C:\Program Files\directx 2008-10-02 21:51 . 2008-10-02 21:54 <DIR> d-------- C:\Documents and Settings\Visal\bluej 2008-10-02 21:50 . 2008-10-02 21:50 <DIR> d-------- C:\BlueJ 2008-10-02 18:18 . 2008-10-02 18:18 <DIR> d-------- C:\Program Files\Common Files\Java 2008-10-02 17:23 . 2008-10-06 20:22 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\SSH 2008-10-02 17:22 . 2008-10-02 17:22 <DIR> d-------- C:\Program Files\SSH Communications Security 2008-10-02 16:22 . 2008-10-02 16:22 <DIR> d-------- C:\Program Files\IDM Computer Solutions 2008-10-02 16:22 . 2008-10-02 16:22 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\IDMComp 2008-10-02 16:04 . 2008-10-02 16:04 <DIR> d-------- C:\Documents and Settings\Visal\Jape 2008-09-30 22:43 . 2008-09-30 22:43 <DIR> d-------- C:\Program Files\Sun 2008-09-30 22:38 . 2008-10-02 18:20 <DIR> d-------- C:\Program Files\Java 2008-09-30 22:38 . 2008-09-30 22:38 410,976 --a------ C:\WINDOWS\system32\deploytk.dll 2008-09-30 22:38 . 2008-09-30 22:38 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-30 22:32 . 2008-09-30 22:32 <DIR> d-------- C:\Program Files\FileZilla FTP Client 2008-09-30 22:32 . 2008-10-02 17:23 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\FileZilla 2008-09-26 11:36 . 2008-10-08 00:00 <DIR> d-------- C:\Program Files\Mozilla Thunderbird 2008-09-26 11:36 . 2008-09-26 11:36 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\Thunderbird 2008-09-24 22:41 . 2008-09-24 22:45 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-09-18 20:33 . 2008-10-07 11:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-18 20:33 . 2008-09-19 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-16 18:47 . 2008-09-16 18:47 <DIR> d-------- C:\Program Files\Audacity 2008-09-13 18:32 . 2008-09-13 18:32 <DIR> d-------- C:\Program Files\Teamspeak2_RC2 2008-09-13 18:32 . 2008-09-13 18:32 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\teamspeak2 2008-09-13 18:32 . 2008-09-13 18:32 34,064 --a------ C:\WINDOWS\system32\lhacm.acm 2008-09-10 17:57 . 2008-09-10 17:59 <DIR> d-------- C:\WINDOWS\NV38281764.TMP 2008-09-10 17:54 . 2008-06-25 20:57 189,001 --a------ C:\WINDOWS\system32\nvapps.nvb 2008-09-10 17:53 . 2008-09-10 17:55 <DIR> d-------- C:\WINDOWS\NV28082812.TMP 2008-09-10 15:16 . 2008-09-10 15:16 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\Symantec 2008-09-10 15:15 . 2008-09-10 15:15 <DIR> d-------- C:\Program Files\Windows Sidebar 2008-09-10 15:14 . 2008-09-10 15:15 <DIR> d-------- C:\Program Files\Norton Internet Security 2008-09-10 15:12 . 2008-09-10 15:26 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-09-10 15:12 . 2008-09-10 15:26 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-09-10 15:12 . 2008-09-10 15:26 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-09-10 15:12 . 2008-09-10 15:26 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-09-10 14:57 . 2008-09-10 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-09-10 14:47 . 2008-09-10 14:47 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\COWON 2008-09-10 14:44 . 2008-09-10 14:45 <DIR> d-------- C:\Program Files\JetAudio 2008-09-10 14:44 . 2008-09-10 14:45 <DIR> d-------- C:\Program Files\Common Files\COWON 2008-09-10 14:44 . 2008-09-10 14:44 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\InstallShield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-08 00:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-10-08 00:11 --------- d-----w C:\Program Files\FlashGet 2008-10-07 23:59 --------- d-----w C:\Documents and Settings\Visal\Application Data\Skype 2008-10-07 23:07 --------- d-----w C:\Documents and Settings\Visal\Application Data\skypePM 2008-10-07 20:45 --------- d-----w C:\Program Files\Image-Line 2008-10-07 20:44 --------- d-----w C:\Program Files\VstPlugins 2008-10-05 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-10 14:26 --------- d-----w C:\Program Files\Symantec 2008-09-10 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-09-04 18:47 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys 2008-08-28 13:54 --------- d-----w C:\Documents and Settings\Visal\Application Data\vlc 2008-08-28 13:53 --------- d-----w C:\Program Files\VideoLAN 2008-08-26 23:18 --------- d-----w C:\Program Files\ASIO4ALL v2 2008-08-26 23:17 --------- d-----w C:\Program Files\Outsim 2008-08-26 00:25 --------- d-----w C:\Program Files\ZD Soft 2008-08-26 00:00 --------- d-----w C:\Program Files\Skype 2008-08-25 22:20 --------- d-----w C:\Program Files\Common Files\Skype 2008-08-25 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-08-25 12:29 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard 2008-08-25 12:27 --------- d-----w C:\Program Files\HP 2008-08-24 22:20 --------- d-----w C:\Program Files\Microsoft Works 2008-08-24 22:13 --------- d-----w C:\Program Files\Real 2008-08-24 22:13 --------- d-----w C:\Program Files\Common Files\xing shared 2008-08-24 22:13 --------- d-----w C:\Program Files\Common Files\Real 2008-08-24 21:43 --------- d-----w C:\Documents and Settings\Visal\Application Data\Windows Search 2008-08-24 20:39 --------- d-----w C:\Program Files\btbb_wcm 2008-08-24 20:37 --------- d-----w C:\Program Files\Yahoo! 2008-08-24 20:36 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-08-24 20:36 --------- d-----w C:\Program Files\Windows Live 2008-08-24 20:33 --------- d-----w C:\Documents and Settings\Visal\Application Data\Yahoo! 2008-08-24 20:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-08-24 20:31 --------- d-----w C:\Program Files\BT Home Hub 2008-08-24 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo! 2008-08-24 20:26 155,995 ----a-w C:\WINDOWS\java\Packages\5VLRPZVB.ZIP 2008-08-23 10:16 --------- d-----w C:\Documents and Settings\Visal\Application Data\CyberLink 2008-08-23 09:06 --------- d-----w C:\Program Files\Windows Desktop Search 2008-08-23 09:06 --------- d-----w C:\Documents and Settings\Visal\Application Data\Windows Desktop Search 2008-08-23 09:02 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-08-23 04:30 --------- d-----w C:\Program Files\Attansic 2008-08-23 04:28 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-08-23 04:28 --------- d-----w C:\Program Files\Realtek 2008-08-23 04:19 --------- d-----w C:\Program Files\Intel 2008-08-23 04:10 --------- d-----w C:\Program Files\microsoft frontpage 2008-08-22 17:19 --------- d-----w C:\Program Files\Microsoft.NET 2008-08-22 17:19 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-08-22 17:19 --------- d-----w C:\Program Files\Common Files\L&H 2008-08-22 16:40 --------- d-----w C:\Program Files\Common Files\Ahead 2008-08-22 16:40 --------- d-----w C:\Program Files\Ahead 2008-08-22 16:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink 2008-08-22 16:39 --------- d-----w C:\Program Files\CyberLink 2008-08-22 16:39 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-08-03 21:21 3,891,200 ----a-w C:\WINDOWS\system32\vfp9t.dll 2008-08-03 21:19 4,722,688 ----a-w C:\WINDOWS\system32\vfp9r.dll 2008-08-01 05:40 9,928,704 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-08-01 04:58 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-08-01 04:33 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-08-01 04:32 311,296 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-08-01 04:23 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-08-01 04:23 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-08-01 04:22 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-08-01 04:22 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-08-01 04:22 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-08-01 04:21 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-08-01 04:19 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-08-01 04:10 3,917,568 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-08-01 03:59 2,183,552 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-08-01 03:46 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-08-01 03:42 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-08-01 03:40 35,328 ----a-w C:\WINDOWS\system32\atiadlxx.dll 2008-08-01 03:40 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-08-01 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-08-01 03:34 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-07-31 21:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-03-21 1953792] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-06-25 13529088] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 51048] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 718704] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-06-25 86016] "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-09-30 140696] "RTHDCPL"="RTHDCPL.EXE" [2007-03-21 C:\WINDOWS\RTHDCPL.exe] "nwiz"="nwiz.exe" [2008-06-25 C:\WINDOWS\system32\nwiz.exe] C:\Documents and Settings\Visal\Start Menu\Programs\Startup\ MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-08-25 575488] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\FlashGet\\flashget.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-30 152984] R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-26 149864] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2008-02-24 37376] S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888] S3 EverestDriver;Lavalys EVEREST Kernel Driver;F:\Everest Ultimate Edition\Install\kerneld.wnt [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994df2b7-711a-11dd-a425-001e8cca1532}] \Shell\AutoRun\command - F:\ \Shell\open\Command - 3ABA2327.exe Newly Created Service - COMHOST . Contents of the 'Scheduled Tasks' folder 2008-10-06 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Visal.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 15:05] . - - - - ORPHANS REMOVED - - - - HKCU-Run-eyeBeam SIP Client - (no file) MSConfigStartUp-Run - C:\Documents and Settings\Visal\Application Data\Adobe\Manager.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Visal\Application Data\Mozilla\Firefox\Profiles\3phw60ro.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.dcs.qmul.ac.uk/ FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-08 01:21:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\F:\Everest Ultimate Edition\Install\kerneld.wnt" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\searchindexer.exe C:\WINDOWS\system32\rundll32.exe C:\ComboFix\pv.cfexe . ********************************************************************** . Completion time: 2008-10-08 1:24:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-08 00:24:40 Pre-Run: 88,215,633,920 bytes free Post-Run: 88,132,284,416 bytes free 251 --- E O F --- 2008-09-10 14:09:47 **************************************************************************** ************ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:28:30, on 08/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\SearchProtocolHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://news.bbc.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- End of file - 9635 bytes

LDTate View Member Profile	Oct 7 2008, 06:39 PM Post #6
Forum God Group: Root Admin Posts: 39,201 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Copy/paste the text in the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. CODE Folder:: C:\Program Files\Bonjour Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994df2b7-711a-11dd-a425-001e8cca1532}] Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Drag CFScript.txt into ComboFix.exe Then post the results log and a new HijackThis log. Also please describe how your computer behaves at the moment.

mpstar

Oct 7 2008, 06:52 PM

Post #7

New Member

Group: New Member
Posts: 6
Joined: 29-August 08
Member No.: 81,270
Operating System: XP

ComboFix 08-10-07.06 - Visal 2008-10-08 1:42:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2487 [GMT 1:00]
Running from: C:\Documents and Settings\Visal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Visal\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Bonjour
C:\Program Files\Bonjour\mdnsNSP.dll
C:\Program Files\Bonjour\mDNSResponder.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-08 00:55 . 2008-10-08 00:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-08 00:55 . 2008-10-08 00:55 <DIR> d-------- C:\Documents and Settings\Visal\Application Data\Malwarebytes
2008-10-08 00:55 . 2008-10-08 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 00:55 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 00:55 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-06 21:44 . 2008-10-06 21:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-0