WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Please help "Viruswebprotect.com"

Started by Smalefarms , Apr 16 2008 02:01 AM

This topic is locked

17 replies to this topic

#1 Smalefarms

New Member

New Member
9 posts

Posted 16 April 2008 - 02:01 AM

After I realised that I hav got viruswebprotect I tried to look at the old topics and fix my computer by myself

I hav installed smitfraudfix and clean,And I also run Malwarebytes as well.

I run these things in safe mode..

It seemed to work the red destop's gone and 3 icons on destop 's gone

but problem is when I run window in normal mode it's so slow and i just can't do anything my com just stuck

and i hav to press the turn off button to restart the computer.I can only run my com in safe mode

Here is my Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:37 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\csrss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS.0\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS.0\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [700072b7] rundll32.exe "C:\WINDOWS.0\system32\duvhnvsy.dll",b
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6183 bytes

thanks

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 20 April 2008 - 07:01 AM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 Smalefarms

New Member

New Member
9 posts

Posted 20 April 2008 - 08:13 AM

While I was waiting for reply I ran combofix before is that going to affect something?

Anyway,everything still same,When I run window in normal mode it still stucked when the com boost finish

Here is combofix,hijackthis and malware logs files

ComboFix 08-04-13.2 - Administrator 2008-04-15 8:40:56.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.392 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\John's movies\??\????II????\_desktop.ini
C:\John's movies\??\?ú?\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\collection\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\item\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\login_interface\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\MAP\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\effect\_desktop.ini
C:\WINDOWS.0\system32\awturPHy.dll
C:\WINDOWS.0\system32\DgQBHkkj.ini
C:\WINDOWS.0\system32\DgQBHkkj.ini2
C:\WINDOWS.0\system32\jkkHBQgD.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 07:51 . 2008-04-15 07:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-15 07:50 . 2008-04-15 07:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 07:50 . 2008-04-15 07:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-04-14 12:48 . 2008-04-14 12:48 <DIR> d-------- C:\_OTMoveIt
2008-04-14 11:30 . 2008-04-14 11:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-14 10:40 . 2008-04-15 07:32 2,202 --a------ C:\WINDOWS.0\system32\tmp.reg
2008-04-14 10:12 . 2008-04-14 10:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 21:24 . 2008-04-13 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-04-13 15:07 . 2008-04-12 06:04 98,304 --a------ C:\WINDOWS.0\spnkfwad.exe
2008-04-13 14:51 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS.0\system32\drivers\MSTEE.sys
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\FreeUndelete
2008-04-13 13:43 . 2008-04-14 09:25 121 --a------ C:\WINDOWS.0\bdagent.INI
2008-04-13 13:37 . 2008-04-13 13:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender
2008-04-13 13:36 . 2008-04-13 13:36 <DIR> d-------- C:\Program Files\BitDefender
2008-04-13 13:36 . 2008-04-13 14:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\BitDefender
2008-04-13 13:32 . 2008-04-13 13:36 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-13 13:29 . 2008-04-13 13:29 <DIR> d-------- C:\Program Files\UltraISO
2008-04-13 13:29 . 2008-04-13 13:29 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-04-13 12:44 . 2008-04-13 12:44 83 --a------ C:\WINDOWS.0\QtZgAcer.UNI
2008-04-13 12:43 . 2006-06-23 10:39 245,824 -ra------ C:\WINDOWS.0\system32\InstExec.exe
2008-04-13 12:43 . 2006-06-23 10:40 245,824 --a------ C:\WINDOWS.0\Instexec.exe
2008-04-13 12:43 . 2006-06-23 10:39 719 -ra------ C:\WINDOWS.0\system32\InstExec.ini
2008-04-13 12:42 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS.0\IsUninst.exe
2008-04-13 12:42 . 2008-04-13 12:42 272 --a------ C:\WINDOWS.0\_delis32.ini
2008-04-13 12:26 . 2008-04-13 12:26 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-13 00:54 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS.0\system32\kbdjpn.dll
2008-04-13 00:54 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS.0\system32\kbdkor.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd106.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd101c.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd101b.dll
2008-04-13 00:54 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS.0\system32\kbd103.dll
2008-04-13 00:48 . 2008-04-13 00:48 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-04-13 00:34 . 2008-04-13 00:34 <DIR> d-------- C:\WINDOWS.0\tiinst
2008-04-13 00:32 . 2006-06-12 22:18 162,432 -ra------ C:\WINDOWS.0\system32\drivers\tifm21.sys
2008-04-13 00:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS.0\system32\mucltui.dll
2008-04-13 00:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS.0\system32\mucltui.dll.mui
2008-04-13 00:25 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS.0\system32\wucltui.dll.mui
2008-04-13 00:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS.0\system32\wuaucpl.cpl.mui
2008-04-13 00:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS.0\system32\wuapi.dll.mui
2008-04-13 00:25 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS.0\system32\wuaueng.dll.mui
2008-04-13 00:21 . 2008-04-13 00:21 <DIR> d-------- C:\WINDOWS.0\system32\Lang
2008-04-13 00:21 . 2008-04-13 00:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\nView_Profiles
2008-04-13 00:21 . 2008-04-13 00:21 940,794 --a------ C:\WINDOWS.0\system32\LoopyMusic.wav
2008-04-13 00:21 . 2008-04-13 00:21 146,650 --a------ C:\WINDOWS.0\system32\BuzzingBee.wav
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\WINDOWS.0\system32\config\systemprofile\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 21,275 --a------ C:\WINDOWS.0\system32\drivers\AegisP.sys
2008-04-13 00:16 . 2008-04-13 00:16 <DIR> d----c--- C:\WINDOWS.0\system32\DRVSTORE
2008-04-13 00:14 . 2006-05-31 20:55 244,864 -ra------ C:\WINDOWS.0\system32\drivers\yk51x86.sys
2008-04-13 00:09 . 2008-04-13 00:09 <DIR> d-------- C:\WINDOWS.0\Options
2008-04-13 00:09 . 2005-12-13 11:08 1,124,097 -ra------ C:\WINDOWS.0\system32\drivers\AGRSM.sys
2008-04-13 00:09 . 2005-12-13 09:50 88,204 -ra------ C:\WINDOWS.0\AGRSMMSG.exe
2008-04-13 00:09 . 2005-05-03 06:10 68,096 --------- C:\WINDOWS.0\system32\agrsmdel.exe
2008-04-13 00:09 . 2005-05-03 06:10 68,096 -ra------ C:\WINDOWS.0\agrsmdel.exe
2008-04-12 23:58 . 2008-04-12 23:58 <DIR> d-------- C:\Program Files\Synaptics
2008-04-12 23:56 . 2006-06-14 09:50 172,416 --a------ C:\WINDOWS.0\system32\drivers\kmixer.sys
2008-04-12 23:56 . 2005-05-28 00:14 142,464 --a------ C:\WINDOWS.0\system32\drivers\aec.sys
2008-04-12 23:56 . 2006-07-18 21:42 135,168 -r------- C:\WINDOWS.0\system32\RtlCPAPI.dll
2008-04-12 23:56 . 2006-06-14 10:17 82,944 --a------ C:\WINDOWS.0\system32\drivers\wdmaud.sys
2008-04-12 23:56 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS.0\system32\drivers\sysaudio.sys
2008-04-12 23:56 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS.0\system32\drivers\swmidi.sys
2008-04-12 23:56 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS.0\system32\drivers\DMusic.sys
2008-04-12 23:56 . 2006-07-18 21:41 40,960 -r------- C:\WINDOWS.0\system32\ChCfg.exe
2008-04-12 23:56 . 2006-06-14 09:50 6,272 --a------ C:\WINDOWS.0\system32\drivers\splitter.sys
2008-04-12 23:56 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS.0\system32\drivers\drmkaud.sys
2008-04-12 23:55 . 2008-04-12 23:56 <DIR> d-------- C:\WINDOWS.0\system32\RTCOM
2008-04-12 23:55 . 2006-07-12 14:50 146,048 --a------ C:\WINDOWS.0\system32\drivers\portcls.sys
2008-04-12 23:55 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS.0\system32\ksproxy.ax
2008-04-12 23:55 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS.0\system32\drivers\drmk.sys
2008-04-12 23:55 . 2004-08-03 22:58 7,552 --a------ C:\WINDOWS.0\system32\drivers\MSKSSRV.sys
2008-04-12 23:55 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS.0\system32\drivers\MSPCLOCK.sys
2008-04-12 23:55 . 2004-08-03 22:58 4,992 --a------ C:\WINDOWS.0\system32\drivers\MSPQM.sys
2008-04-12 23:55 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS.0\system32\ksuser.dll
2008-04-12 23:54 . 2006-07-18 21:41 487,424 -r------- C:\WINDOWS.0\RtlExUpd.dll
2008-04-12 23:51 . 2008-04-13 00:20 <DIR> d-------- C:\WINDOWS.0\nview
2008-04-12 23:51 . 2006-06-12 18:16 208,896 --a------ C:\WINDOWS.0\system32\NVUNINST.EXE
2008-04-12 23:51 . 2006-06-12 19:11 208,896 --a------ C:\WINDOWS.0\system32\nvudisp.exe
2008-04-12 23:51 . 2008-04-15 08:23 51,048 --a------ C:\WINDOWS.0\system32\nvapps.xml
2008-04-12 23:51 . 2006-06-12 19:11 16,960 --a------ C:\WINDOWS.0\system32\nvdisp.nvu
2008-04-12 23:43 . 2008-04-12 23:43 12,920 --a------ C:\WINDOWS.0\system32\GDIPFONTCACHEV1.DAT
2008-04-12 16:59 . 2008-04-12 16:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sports Interactive
2008-04-12 16:55 . 2008-04-12 16:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\FLEXnet
2008-04-12 13:02 . 2008-04-12 13:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-04-12 13:01 . 2008-04-12 13:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ESET
2008-04-08 21:43 . 2008-04-08 21:43 2,560 --a------ C:\WINDOWS.0\system32\bitcometres.dll
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS.1
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1
2008-04-05 13:02 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS.0\system32\drivers\redbook.sys
2008-04-05 13:02 . 2001-08-17 09:59 3,072 --a------ C:\WINDOWS.0\system32\drivers\audstub.sys
2008-04-05 13:01 . 2004-08-04 00:56 74,240 --a------ C:\WINDOWS.0\system32\usbui.dll
2008-04-05 13:00 . 2004-08-03 19:07 14,080 --a------ C:\WINDOWS.0\system32\drivers\CmBatt.sys
2008-04-05 13:00 . 2001-08-17 09:57 14,080 --a------ C:\WINDOWS.0\system32\drivers\battc.sys
2008-04-05 13:00 . 2001-08-17 09:58 9,344 --a------ C:\WINDOWS.0\system32\drivers\compbatt.sys
2008-04-05 13:00 . 2004-08-03 19:07 8,832 --a------ C:\WINDOWS.0\system32\drivers\wmiacpi.sys
2008-03-21 00:58 . 2008-04-01 10:37 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-21 00:52 . 2008-03-21 00:57 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-03-21 00:43 . 2008-03-21 00:43 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-03-21 00:43 . 2008-03-21 00:43 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 17:53 85,520 ----a-w C:\WINDOWS.0\system32\drivers\bdfndisf.sys
2008-04-13 16:44 --------- d-----w C:\Program Files\Launch Manager
2008-04-13 16:43 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-13 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 03:48 --------- d-----w C:\Program Files\Intel
2008-04-12 20:58 --------- d-----w C:\Program Files\FM Modifier 2.1
2008-04-12 17:01 --------- d-----w C:\Program Files\ESET
2008-04-05 22:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 08:14 --------- d-----w C:\Program Files\BitComet
2008-03-30 07:14 --------- d-----w C:\Program Files\MSN Messenger
2008-03-30 07:14 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-21 14:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 04:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-21 05:18 --------- d-----w C:\Documents and Settings\Windows_XP\Application Data\AVG7
2008-02-20 16:39 --------- d-----w C:\Program Files\Typing Instructor Deluxe Edition
2006-11-01 05:31 1,669,120 ----a-w C:\Program Files\wmsetsdk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced Uninstaller PRO Installation Monitor"="C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe" [2007-01-29 16:20 1219584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-10-25 09:26 1410304]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-18 21:42 16248320 C:\WINDOWS.0\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-18 21:42 2879488 C:\WINDOWS.0\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-18 21:41 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 09:50 88204 C:\WINDOWS.0\AGRSMMSG.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"LVCOMSX"="C:\WINDOWS.0\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 00:13 471040]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-04-13 13:52 360448]
"700072b7"="C:\WINDOWS.0\system32\duvhnvsy.dll" [ ]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2006-06-12 19:11 7577600]
"NvMediaCenter"="C:\WINDOWS.0\system32\NvMcTray.dll" [2006-06-12 19:11 86016]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS.0\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17792:TCP"= 17792:TCP:BitComet 17792 TCP
"17792:UDP"= 17792:UDP:BitComet 17792 UDP

S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS.0\system32\DRIVERS\bdfndisf.sys [2008-04-13 13:53]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS.0\system32\DRIVERS\lv321av.sys [2006-06-19 15:20]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS.0\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe HowToUse\HowToUse.htm

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 08:51:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-15 8:55:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 12:55:14

Pre-Run: 67,695,624,192 bytes free
Post-Run: 68,503,429,120 bytes free

----------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:30 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS.0\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [700072b7] rundll32.exe "C:\WINDOWS.0\system32\duvhnvsy.dll",b
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5806 bytes

--------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 29943
Time elapsed: 10 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 20 April 2008 - 02:00 PM

That combofix was 5 days ago. Lets get the latest one.

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 Smalefarms

New Member

New Member
9 posts

Posted 20 April 2008 - 08:26 PM

Here is combofix and Hijackthis logs files.

ComboFix 08-04-20.2 - Administrator 2008-04-22 1:44:29.3 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\John's movies\??\????II????\_desktop.ini
C:\John's movies\??\?ú?\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\collection\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\item\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\login_interface\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\MAP\_desktop.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-19 09:14 . 2008-04-21 09:04 664 --a------ C:\WINDOWS.0\system32\d3d9caps.dat
2008-04-15 09:10 . 2008-04-15 09:10 <DIR> d-------- C:\WINDOWS.0\system32\xircom
2008-04-15 08:57 . 2008-04-15 08:57 <DIR> d-------- C:\Deckard
2008-04-15 08:40 . 2008-04-21 22:44 1,024 --ah----- C:\WINDOWS.0\system32\config\systemprofile\ntuser.dat.LOG
2008-04-15 07:51 . 2008-04-15 07:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-15 07:50 . 2008-04-15 07:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 07:50 . 2008-04-15 07:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-04-14 12:48 . 2008-04-14 12:48 <DIR> d-------- C:\_OTMoveIt
2008-04-14 11:30 . 2008-04-18 10:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-14 10:40 . 2008-04-21 10:02 424 --a------ C:\WINDOWS.0\system32\tmp.reg
2008-04-14 10:12 . 2008-04-14 10:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 21:24 . 2008-04-13 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-04-13 15:07 . 2008-04-12 06:04 98,304 --a------ C:\WINDOWS.0\spnkfwad.exe
2008-04-13 14:51 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS.0\system32\drivers\MSTEE.sys
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\FreeUndelete
2008-04-13 13:43 . 2008-04-19 09:12 121 --a------ C:\WINDOWS.0\bdagent.INI
2008-04-13 13:37 . 2008-04-13 13:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender
2008-04-13 13:36 . 2008-04-13 13:36 <DIR> d-------- C:\Program Files\BitDefender
2008-04-13 13:36 . 2008-04-13 14:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\BitDefender
2008-04-13 13:32 . 2008-04-13 13:36 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-13 13:29 . 2008-04-13 13:29 <DIR> d-------- C:\Program Files\UltraISO
2008-04-13 13:29 . 2008-04-13 13:29 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-04-13 12:44 . 2008-04-13 12:44 83 --a------ C:\WINDOWS.0\QtZgAcer.UNI
2008-04-13 12:43 . 2006-06-23 10:39 245,824 -ra------ C:\WINDOWS.0\system32\InstExec.exe
2008-04-13 12:43 . 2006-06-23 10:40 245,824 --a------ C:\WINDOWS.0\Instexec.exe
2008-04-13 12:43 . 2006-06-23 10:39 719 -ra------ C:\WINDOWS.0\system32\InstExec.ini
2008-04-13 12:42 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS.0\IsUninst.exe
2008-04-13 12:42 . 2008-04-13 12:42 272 --a------ C:\WINDOWS.0\_delis32.ini
2008-04-13 12:26 . 2008-04-13 12:26 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-13 00:54 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS.0\system32\kbdjpn.dll
2008-04-13 00:54 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS.0\system32\kbdkor.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd106.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd101c.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd101b.dll
2008-04-13 00:54 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS.0\system32\kbd103.dll
2008-04-13 00:48 . 2008-04-13 00:48 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-04-13 00:34 . 2008-04-13 00:34 <DIR> d-------- C:\WINDOWS.0\tiinst
2008-04-13 00:32 . 2006-06-12 22:18 162,432 -ra------ C:\WINDOWS.0\system32\drivers\tifm21.sys
2008-04-13 00:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS.0\system32\mucltui.dll
2008-04-13 00:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS.0\system32\mucltui.dll.mui
2008-04-13 00:25 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS.0\system32\wucltui.dll.mui
2008-04-13 00:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS.0\system32\wuaucpl.cpl.mui
2008-04-13 00:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS.0\system32\wuapi.dll.mui
2008-04-13 00:25 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS.0\system32\wuaueng.dll.mui
2008-04-13 00:21 . 2008-04-13 00:21 <DIR> d-------- C:\WINDOWS.0\system32\Lang
2008-04-13 00:21 . 2008-04-13 00:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\nView_Profiles
2008-04-13 00:21 . 2008-04-13 00:21 940,794 --a------ C:\WINDOWS.0\system32\LoopyMusic.wav
2008-04-13 00:21 . 2008-04-13 00:21 146,650 --a------ C:\WINDOWS.0\system32\BuzzingBee.wav
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 21,275 --a------ C:\WINDOWS.0\system32\drivers\AegisP.sys
2008-04-13 00:16 . 2008-04-13 00:16 <DIR> d----c--- C:\WINDOWS.0\system32\DRVSTORE
2008-04-13 00:14 . 2006-05-31 20:55 244,864 -ra------ C:\WINDOWS.0\system32\drivers\yk51x86.sys
2008-04-13 00:09 . 2008-04-13 00:09 <DIR> d-------- C:\WINDOWS.0\Options
2008-04-13 00:09 . 2005-12-13 11:08 1,124,097 -ra------ C:\WINDOWS.0\system32\drivers\AGRSM.sys
2008-04-13 00:09 . 2005-12-13 09:50 88,204 -ra------ C:\WINDOWS.0\AGRSMMSG.exe
2008-04-13 00:09 . 2005-05-03 06:10 68,096 --------- C:\WINDOWS.0\system32\agrsmdel.exe
2008-04-13 00:09 . 2005-05-03 06:10 68,096 -ra------ C:\WINDOWS.0\agrsmdel.exe
2008-04-12 23:58 . 2008-04-12 23:58 <DIR> d-------- C:\Program Files\Synaptics
2008-04-12 23:56 . 2006-06-14 09:50 172,416 --a------ C:\WINDOWS.0\system32\drivers\kmixer.sys
2008-04-12 23:56 . 2005-05-28 00:14 142,464 --a------ C:\WINDOWS.0\system32\drivers\aec.sys
2008-04-12 23:56 . 2006-07-18 21:42 135,168 -r------- C:\WINDOWS.0\system32\RtlCPAPI.dll
2008-04-12 23:56 . 2006-06-14 10:17 82,944 --a------ C:\WINDOWS.0\system32\drivers\wdmaud.sys
2008-04-12 23:56 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS.0\system32\drivers\sysaudio.sys
2008-04-12 23:56 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS.0\system32\drivers\swmidi.sys
2008-04-12 23:56 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS.0\system32\drivers\DMusic.sys
2008-04-12 23:56 . 2006-07-18 21:41 40,960 -r------- C:\WINDOWS.0\system32\ChCfg.exe
2008-04-12 23:56 . 2006-06-14 09:50 6,272 --a------ C:\WINDOWS.0\system32\drivers\splitter.sys
2008-04-12 23:56 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS.0\system32\drivers\drmkaud.sys
2008-04-12 23:55 . 2008-04-12 23:56 <DIR> d-------- C:\WINDOWS.0\system32\RTCOM
2008-04-12 23:55 . 2006-07-12 14:50 146,048 --a------ C:\WINDOWS.0\system32\drivers\portcls.sys
2008-04-12 23:55 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS.0\system32\ksproxy.ax
2008-04-12 23:55 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS.0\system32\drivers\drmk.sys
2008-04-12 23:55 . 2004-08-03 22:58 7,552 --a------ C:\WINDOWS.0\system32\drivers\MSKSSRV.sys
2008-04-12 23:55 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS.0\system32\drivers\MSPCLOCK.sys
2008-04-12 23:55 . 2004-08-03 22:58 4,992 --a------ C:\WINDOWS.0\system32\drivers\MSPQM.sys
2008-04-12 23:55 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS.0\system32\ksuser.dll
2008-04-12 23:54 . 2006-07-18 21:41 487,424 -r------- C:\WINDOWS.0\RtlExUpd.dll
2008-04-12 23:51 . 2008-04-13 00:20 <DIR> d-------- C:\WINDOWS.0\nview
2008-04-12 23:51 . 2006-06-12 18:16 208,896 --a------ C:\WINDOWS.0\system32\NVUNINST.EXE
2008-04-12 23:51 . 2006-06-12 19:11 208,896 --a------ C:\WINDOWS.0\system32\nvudisp.exe
2008-04-12 23:51 . 2008-04-21 23:25 51,048 --a------ C:\WINDOWS.0\system32\nvapps.xml
2008-04-12 23:51 . 2006-06-12 19:11 16,960 --a------ C:\WINDOWS.0\system32\nvdisp.nvu
2008-04-12 23:43 . 2008-04-12 23:43 12,920 --a------ C:\WINDOWS.0\system32\GDIPFONTCACHEV1.DAT
2008-04-12 16:59 . 2008-04-12 16:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sports Interactive
2008-04-12 16:55 . 2008-04-12 16:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\FLEXnet
2008-04-12 13:02 . 2008-04-12 13:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-04-12 13:01 . 2008-04-12 13:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ESET
2008-04-08 21:43 . 2008-04-08 21:43 2,560 --a------ C:\WINDOWS.0\system32\bitcometres.dll
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS.1
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1
2008-04-05 13:02 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS.0\system32\drivers\redbook.sys
2008-04-05 13:02 . 2001-08-17 09:59 3,072 --a------ C:\WINDOWS.0\system32\drivers\audstub.sys
2008-04-05 13:01 . 2004-08-04 00:56 74,240 --a------ C:\WINDOWS.0\system32\usbui.dll
2008-04-05 13:00 . 2004-08-03 19:07 14,080 --a------ C:\WINDOWS.0\system32\drivers\CmBatt.sys
2008-04-05 13:00 . 2001-08-17 09:57 14,080 --a------ C:\WINDOWS.0\system32\drivers\battc.sys
2008-04-05 13:00 . 2001-08-17 09:58 9,344 --a------ C:\WINDOWS.0\system32\drivers\compbatt.sys
2008-04-05 13:00 . 2004-08-03 19:07 8,832 --a------ C:\WINDOWS.0\system32\drivers\wmiacpi.sys
2008-04-02 14:06 . 2008-04-02 14:06 3,630 --a------ C:\Documents and Settings\Windows_XP\SR-Reg.TXT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 17:53 85,520 ----a-w C:\WINDOWS.0\system32\drivers\bdfndisf.sys
2008-04-13 16:44 --------- d-----w C:\Program Files\Launch Manager
2008-04-13 16:43 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-13 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 03:48 --------- d-----w C:\Program Files\Intel
2008-04-12 20:58 --------- d-----w C:\Program Files\FM Modifier 2.1
2008-04-12 17:01 --------- d-----w C:\Program Files\ESET
2008-04-05 22:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-01 08:14 --------- d-----w C:\Program Files\BitComet
2008-03-30 07:14 --------- d-----w C:\Program Files\MSN Messenger
2008-03-30 07:14 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-21 14:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 04:57 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-21 04:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-21 04:46 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-03-21 04:43 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-03-21 04:43 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-21 04:35 --------- d-----w C:\Program Files\Microsoft SDKs
2008-03-21 02:28 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 02:28 --------- d-----w C:\Program Files\MSBuild
2008-03-21 02:21 --------- d-----w C:\Program Files\MSXML 6.0
2006-11-01 05:31 1,669,120 ----a-w C:\Program Files\wmsetsdk.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 8.54.47.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 12:51:08 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
+ 2008-04-22 05:42:30 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced Uninstaller PRO Installation Monitor"="C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe" [2007-01-29 16:20 1219584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 03:34 185896]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [ ]
"SkyTel"="SkyTel.EXE" [2006-07-18 21:42 2879488 C:\WINDOWS.0\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-18 21:42 16248320 C:\WINDOWS.0\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-06-12 19:11 1519616 C:\WINDOWS.0\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS.0\system32\NvMcTray.dll" [2006-06-12 19:11 86016]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2006-06-12 19:11 7577600]
"LVCOMSX"="C:\WINDOWS.0\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 00:13 471040]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-10-25 09:26 1410304]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-04-13 13:52 360448]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-18 21:41 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 09:50 88204 C:\WINDOWS.0\AGRSMMSG.exe]
"700072b7"="C:\WINDOWS.0\system32\duvhnvsy.dll" [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS.0\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17792:TCP"= 17792:TCP:BitComet 17792 TCP
"17792:UDP"= 17792:UDP:BitComet 17792 UDP

S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS.0\system32\DRIVERS\bdfndisf.sys [2008-04-13 13:53]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS.0\system32\DRIVERS\lv321av.sys [2006-06-19 15:20]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS.0\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 01:48:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 1:49:57
ComboFix-quarantined-files.txt 2008-04-22 05:49:45
ComboFix2.txt 2008-04-22 02:49:46
ComboFix3.txt 2008-04-15 12:55:21

Pre-Run: 68,575,367,168 bytes free
Post-Run: 68,563,185,664 bytes free

206

----------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:34 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS.0\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [700072b7] rundll32.exe "C:\WINDOWS.0\system32\duvhnvsy.dll",b
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6154 bytes

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 20 April 2008 - 08:44 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS.0\spnkfwad.exe
C:\WINDOWS.0\system32\duvhnvsy.dll

Save this as Save this as "CFScript"

Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

See if you can reboot in Normal Mode now and post the HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 Smalefarms

New Member

New Member
9 posts

Posted 21 April 2008 - 03:54 AM

I still cannot run window in normal mode

Here is combofix and Hijackthis log

ComboFix 08-04-20.2 - Administrator 2008-04-22 9:12:52.4 - NTFSx86 MINIMAL

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS.0\spnkfwad.exe
C:\WINDOWS.0\system32\duvhnvsy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\John's movies\??\????II????\_desktop.ini
C:\John's movies\??\?ú?\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\collection\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\item\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\login_interface\_desktop.ini
C:\Program Files\AsiaSoft\Gravity\RagnarokOnline\data\texture\??????????????\MAP\_desktop.ini
C:\WINDOWS.0\spnkfwad.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-19 09:14 . 2008-04-21 09:04 664 --a------ C:\WINDOWS.0\system32\d3d9caps.dat
2008-04-15 09:10 . 2008-04-15 09:10 <DIR> d-------- C:\WINDOWS.0\system32\xircom
2008-04-15 08:57 . 2008-04-15 08:57 <DIR> d-------- C:\Deckard
2008-04-15 08:40 . 2008-04-21 22:44 1,024 --ah----- C:\WINDOWS.0\system32\config\systemprofile\ntuser.dat.LOG
2008-04-15 07:51 . 2008-04-15 07:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-15 07:50 . 2008-04-15 07:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 07:50 . 2008-04-15 07:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-04-14 12:48 . 2008-04-14 12:48 <DIR> d-------- C:\_OTMoveIt
2008-04-14 11:30 . 2008-04-18 10:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-14 10:40 . 2008-04-21 10:02 424 --a------ C:\WINDOWS.0\system32\tmp.reg
2008-04-14 10:12 . 2008-04-14 10:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 21:24 . 2008-04-13 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-04-13 14:51 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS.0\system32\drivers\MSTEE.sys
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\FreeUndelete
2008-04-13 13:43 . 2008-04-19 09:12 121 --a------ C:\WINDOWS.0\bdagent.INI
2008-04-13 13:37 . 2008-04-13 13:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender
2008-04-13 13:36 . 2008-04-13 13:36 <DIR> d-------- C:\Program Files\BitDefender
2008-04-13 13:36 . 2008-04-13 14:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\BitDefender
2008-04-13 13:32 . 2008-04-13 13:36 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-13 13:29 . 2008-04-13 13:29 <DIR> d-------- C:\Program Files\UltraISO
2008-04-13 13:29 . 2008-04-13 13:29 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-04-13 12:44 . 2008-04-13 12:44 83 --a------ C:\WINDOWS.0\QtZgAcer.UNI
2008-04-13 12:43 . 2006-06-23 10:39 245,824 -ra------ C:\WINDOWS.0\system32\InstExec.exe
2008-04-13 12:43 . 2006-06-23 10:40 245,824 --a------ C:\WINDOWS.0\Instexec.exe
2008-04-13 12:43 . 2006-06-23 10:39 719 -ra------ C:\WINDOWS.0\system32\InstExec.ini
2008-04-13 12:42 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS.0\IsUninst.exe
2008-04-13 12:42 . 2008-04-13 12:42 272 --a------ C:\WINDOWS.0\_delis32.ini
2008-04-13 12:26 . 2008-04-13 12:26 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-13 00:54 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS.0\system32\kbdjpn.dll
2008-04-13 00:54 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS.0\system32\kbdkor.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd106.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd101c.dll
2008-04-13 00:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS.0\system32\kbd101b.dll
2008-04-13 00:54 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS.0\system32\kbd103.dll
2008-04-13 00:48 . 2008-04-13 00:48 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-04-13 00:34 . 2008-04-13 00:34 <DIR> d-------- C:\WINDOWS.0\tiinst
2008-04-13 00:32 . 2006-06-12 22:18 162,432 -ra------ C:\WINDOWS.0\system32\drivers\tifm21.sys
2008-04-13 00:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS.0\system32\mucltui.dll
2008-04-13 00:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS.0\system32\mucltui.dll.mui
2008-04-13 00:25 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS.0\system32\wucltui.dll.mui
2008-04-13 00:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS.0\system32\wuaucpl.cpl.mui
2008-04-13 00:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS.0\system32\wuapi.dll.mui
2008-04-13 00:25 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS.0\system32\wuaueng.dll.mui
2008-04-13 00:21 . 2008-04-13 00:21 <DIR> d-------- C:\WINDOWS.0\system32\Lang
2008-04-13 00:21 . 2008-04-13 00:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\nView_Profiles
2008-04-13 00:21 . 2008-04-13 00:21 940,794 --a------ C:\WINDOWS.0\system32\LoopyMusic.wav
2008-04-13 00:21 . 2008-04-13 00:21 146,650 --a------ C:\WINDOWS.0\system32\BuzzingBee.wav
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-13 00:17 . 2008-04-13 00:17 21,275 --a------ C:\WINDOWS.0\system32\drivers\AegisP.sys
2008-04-13 00:16 . 2008-04-13 00:16 <DIR> d----c--- C:\WINDOWS.0\system32\DRVSTORE
2008-04-13 00:14 . 2006-05-31 20:55 244,864 -ra------ C:\WINDOWS.0\system32\drivers\yk51x86.sys
2008-04-13 00:09 . 2008-04-13 00:09 <DIR> d-------- C:\WINDOWS.0\Options
2008-04-13 00:09 . 2005-12-13 11:08 1,124,097 -ra------ C:\WINDOWS.0\system32\drivers\AGRSM.sys
2008-04-13 00:09 . 2005-12-13 09:50 88,204 -ra------ C:\WINDOWS.0\AGRSMMSG.exe
2008-04-13 00:09 . 2005-05-03 06:10 68,096 --------- C:\WINDOWS.0\system32\agrsmdel.exe
2008-04-13 00:09 . 2005-05-03 06:10 68,096 -ra------ C:\WINDOWS.0\agrsmdel.exe
2008-04-12 23:58 . 2008-04-12 23:58 <DIR> d-------- C:\Program Files\Synaptics
2008-04-12 23:56 . 2006-06-14 09:50 172,416 --a------ C:\WINDOWS.0\system32\drivers\kmixer.sys
2008-04-12 23:56 . 2005-05-28 00:14 142,464 --a------ C:\WINDOWS.0\system32\drivers\aec.sys
2008-04-12 23:56 . 2006-07-18 21:42 135,168 -r------- C:\WINDOWS.0\system32\RtlCPAPI.dll
2008-04-12 23:56 . 2006-06-14 10:17 82,944 --a------ C:\WINDOWS.0\system32\drivers\wdmaud.sys
2008-04-12 23:56 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS.0\system32\drivers\sysaudio.sys
2008-04-12 23:56 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS.0\system32\drivers\swmidi.sys
2008-04-12 23:56 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS.0\system32\drivers\DMusic.sys
2008-04-12 23:56 . 2006-07-18 21:41 40,960 -r------- C:\WINDOWS.0\system32\ChCfg.exe
2008-04-12 23:56 . 2006-06-14 09:50 6,272 --a------ C:\WINDOWS.0\system32\drivers\splitter.sys
2008-04-12 23:56 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS.0\system32\drivers\drmkaud.sys
2008-04-12 23:55 . 2008-04-12 23:56 <DIR> d-------- C:\WINDOWS.0\system32\RTCOM
2008-04-12 23:55 . 2006-07-12 14:50 146,048 --a------ C:\WINDOWS.0\system32\drivers\portcls.sys
2008-04-12 23:55 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS.0\system32\ksproxy.ax
2008-04-12 23:55 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS.0\system32\drivers\drmk.sys
2008-04-12 23:55 . 2004-08-03 22:58 7,552 --a------ C:\WINDOWS.0\system32\drivers\MSKSSRV.sys
2008-04-12 23:55 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS.0\system32\drivers\MSPCLOCK.sys
2008-04-12 23:55 . 2004-08-03 22:58 4,992 --a------ C:\WINDOWS.0\system32\drivers\MSPQM.sys
2008-04-12 23:55 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS.0\system32\ksuser.dll
2008-04-12 23:54 . 2006-07-18 21:41 487,424 -r------- C:\WINDOWS.0\RtlExUpd.dll
2008-04-12 23:51 . 2008-04-13 00:20 <DIR> d-------- C:\WINDOWS.0\nview
2008-04-12 23:51 . 2006-06-12 18:16 208,896 --a------ C:\WINDOWS.0\system32\NVUNINST.EXE
2008-04-12 23:51 . 2006-06-12 19:11 208,896 --a------ C:\WINDOWS.0\system32\nvudisp.exe
2008-04-12 23:51 . 2008-04-21 23:25 51,048 --a------ C:\WINDOWS.0\system32\nvapps.xml
2008-04-12 23:51 . 2006-06-12 19:11 16,960 --a------ C:\WINDOWS.0\system32\nvdisp.nvu
2008-04-12 23:43 . 2008-04-12 23:43 12,920 --a------ C:\WINDOWS.0\system32\GDIPFONTCACHEV1.DAT
2008-04-12 16:59 . 2008-04-12 16:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sports Interactive
2008-04-12 16:55 . 2008-04-12 16:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\FLEXnet
2008-04-12 13:02 . 2008-04-12 13:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-04-12 13:01 . 2008-04-12 13:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ESET
2008-04-08 21:43 . 2008-04-08 21:43 2,560 --a------ C:\WINDOWS.0\system32\bitcometres.dll
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS.1
2008-04-05 16:38 . 2008-04-05 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1
2008-04-05 13:02 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS.0\system32\drivers\redbook.sys
2008-04-05 13:02 . 2001-08-17 09:59 3,072 --a------ C:\WINDOWS.0\system32\drivers\audstub.sys
2008-04-05 13:01 . 2004-08-04 00:56 74,240 --a------ C:\WINDOWS.0\system32\usbui.dll
2008-04-05 13:00 . 2004-08-03 19:07 14,080 --a------ C:\WINDOWS.0\system32\drivers\CmBatt.sys
2008-04-05 13:00 . 2001-08-17 09:57 14,080 --a------ C:\WINDOWS.0\system32\drivers\battc.sys
2008-04-05 13:00 . 2001-08-17 09:58 9,344 --a------ C:\WINDOWS.0\system32\drivers\compbatt.sys
2008-04-05 13:00 . 2004-08-03 19:07 8,832 --a------ C:\WINDOWS.0\system32\drivers\wmiacpi.sys
2008-04-02 14:06 . 2008-04-02 14:06 3,630 --a------ C:\Documents and Settings\Windows_XP\SR-Reg.TXT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 17:53 85,520 ----a-w C:\WINDOWS.0\system32\drivers\bdfndisf.sys
2008-04-13 16:44 --------- d-----w C:\Program Files\Launch Manager
2008-04-13 16:43 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-13 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 03:48 --------- d-----w C:\Program Files\Intel
2008-04-12 20:58 --------- d-----w C:\Program Files\FM Modifier 2.1
2008-04-12 17:01 --------- d-----w C:\Program Files\ESET
2008-04-05 22:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-01 08:14 --------- d-----w C:\Program Files\BitComet
2008-03-30 07:14 --------- d-----w C:\Program Files\MSN Messenger
2008-03-30 07:14 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-21 14:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 04:57 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-21 04:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-21 04:46 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-03-21 04:43 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-03-21 04:43 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-21 04:35 --------- d-----w C:\Program Files\Microsoft SDKs
2008-03-21 02:28 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 02:28 --------- d-----w C:\Program Files\MSBuild
2008-03-21 02:21 --------- d-----w C:\Program Files\MSXML 6.0
2006-11-01 05:31 1,669,120 ----a-w C:\Program Files\wmsetsdk.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 8.54.47.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 12:51:08 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
+ 2008-04-22 13:03:20 2,048 --s-a-w C:\WINDOWS.0\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS.0\pchealth\helpctr\Binaries\MSCONFIG.exe" [2007-02-18 18:38 169984]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS.0\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS.0\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS.0\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\700072b7]
C:\WINDOWS.0\system32\duvhnvsy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Uninstaller PRO Installation Monitor]
--a------ 2007-01-29 16:20 1219584 C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2005-12-13 09:50 88204 C:\WINDOWS.0\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-18 21:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2008-04-13 13:52 360448 C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2007-10-25 09:26 1410304 C:\Program Files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2006-04-14 11:56 569413 C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2006-04-14 11:52 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2006-04-14 11:51 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2006-07-14 00:13 471040 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-06-23 10:39 225280 C:\WINDOWS.0\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-06-12 19:11 7577600 C:\WINDOWS.0\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-12 19:11 86016 C:\WINDOWS.0\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-12 19:11 1519616 C:\WINDOWS.0\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-07-18 21:42 16248320 C:\WINDOWS.0\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-07-18 21:42 2879488 C:\WINDOWS.0\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-20 03:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WMConnectCDS"=3 (0x3)
"winmgmt"=2 (0x2)
"VSSERV"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"UMWdf"=3 (0x3)
"TrkWks"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"Schedule"=2 (0x2)
"scan"=3 (0x3)
"SamSs"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Netman"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"LIVESRV"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EvtEng"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"btwdins"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS.0\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17792:TCP"= 17792:TCP:BitComet 17792 TCP
"17792:UDP"= 17792:UDP:BitComet 17792 UDP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 09:16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 9:18:08
ComboFix-quarantined-files.txt 2008-04-22 13:17:58
ComboFix2.txt 2008-04-22 05:49:57
ComboFix3.txt 2008-04-22 02:49:46
ComboFix4.txt 2008-04-15 12:55:21

Pre-Run: 68,589,760,512 bytes free
Post-Run: 68,575,289,344 bytes free

299

--------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:23 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS.0\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [700072b7] rundll32.exe "C:\WINDOWS.0\system32\duvhnvsy.dll",b
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\Monitor.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6189 bytes

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 21 April 2008 - 07:43 AM

Lets run an F-Secure online scan it will scan for Viruses, Spyware and RootKits:

Click HERE
Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.

Also let me know how the computer is running now.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 Smalefarms

New Member

New Member
9 posts

Posted 21 April 2008 - 10:16 PM

Scanning Report Wednesday, April 23, 2008 03:25:53 - 04:14:23 Computer name: THIS-13C89D55BA Scanning type: Scan system for malware, rootkits Target: C:\ -------------------------------------------------------------------------------- Result: 3 malware found RiskTool.Win32.Reboot (spyware) System Tracking Cookie (spyware) System Trojan.Win32.Qhost.alb (virus) C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS (Renamed & Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 39874 System: 3097 Not scanned: 633 Actions: Disinfected: 0 Renamed: 1 Deleted: 0 None: 2 Submitted: 1 Files not scanned: ?=]AGEFILE.SYS C:\WINDOWS.0\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS.0\SYSTEM32\CONFIG\SAM C:\WINDOWS.0\SYSTEM32\CONFIG\SECURITY C:\WINDOWS.0\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS.0\SYSTEM32\CONFIG\SYSTEM C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\A5630761-221.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE00.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE000.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE001.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE002.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE003.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE004.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE007.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE008.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE009.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE010.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE012.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE013.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE014.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE015.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE016.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE017.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE018.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE019.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE020.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE023.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE024.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE025.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\IMAGE_00475.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\ITH46189.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 001.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 002.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 003.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 008.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 009.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 012.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 013.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 014.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 017.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 019.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PICTURE 020.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\PIC큝? C:\PAGEFILE.SYS C:\WINDOWS.0\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS.0\SYSTEM32\CONFIG\SAM C:\WINDOWS.0\SYSTEM32\CONFIG\SECURITY C:\WINDOWS.0\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS.0\SYSTEM32\CONFIG\SYSTEM C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\NEW FOLDER\A5630761-221.JPG C:\PROGRAM FILES\COMMON FILES\MACROVISION SHARED\FLE? -------------------------------------------------------------------------------- Options Scanning engines: F-Secure USS: 2.30.0 F-Secure Blacklight: 1.0.64 F-Secure Hydra: 2.8.8110, 2008-04-21 F-Secure Pegasus: 1.20.0, 2008-02-28 F-Secure AVP: 7.0.171, 2008-04-21 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use Advanced heuristics -------------------------------------------------------------------------------- Copyright © 1998-2007 Product support |Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 Smalefarms

New Member

New Member
9 posts

Posted 21 April 2008 - 11:41 PM

I dont know why I can run window in normal mode if I run>msconfig>services>and close all application about Bitdefender I use Bitdefender unauthorised maybe that is the problem My computer seem to work prpperly now. Thank you very much.

Advertisements

Register to Remove

#11 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 22 April 2008 - 06:54 AM

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
BitDefender

Click HERE Click the Download Now and Save, Install, Update and run a full scan.

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#12 Smalefarms

New Member

New Member
9 posts

Posted 22 April 2008 - 02:15 PM

In case I already have ESET do I have to install AVG ?

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 22 April 2008 - 02:48 PM

In case I already have ESET do I have to install AVG ?

You only want 1 anti-virus program running at one time, so if your ESET is running that should should be fine.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 Smalefarms

New Member

New Member
9 posts

Posted 22 April 2008 - 04:02 PM

I think my computer is okay now

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:14 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS.0\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS.0\AGRSMMSG.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\WINDOWS.0\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS.0\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS.0\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7496 bytes

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 22 April 2008 - 04:09 PM

Good job

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Here's my usual all clean post

Log looks good

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  - From within Internet Explorer click on the Tools menu and then click on Options.
  - Click once on the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Note: I no longer suggest Zone Alarm

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Winpatrol
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme