Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91863 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] explorer.exe restarts every 5 sec


  • This topic is locked This topic is locked
12 replies to this topic

#1 bonkey666

bonkey666

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 04 June 2008 - 01:59 PM

:pullhair:explorer.exe keeps restarting every 5 sec. or so. I have gone into safe mode and run spybot and ad aware and it still happens. In safe mode as well and on a different profile in safe mode as well as normal mode, it still happens. I finally used hijackthis and here is my log file. Please help, this is very aggravating. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:14:46 PM, on 6/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\commserv.exe D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\Program Files\Common Files\Stardock\SDMCP.exe C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-us\msn_sl.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\taskmgr.exe D:\Program Stuffs\Utilities\Cam\LogiTray.exe D:\Program Stuffs\Utilities\Cam\FxSvr2.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Program Stuffs\Utilities\Hijak\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Stuffs\Utilities\Cam\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Stuffs\Utilities\Cam\LogiTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Real Spy Monitor] "D:\Program Stuffs\Utilities\xp tools\Real Spy Monitor\winrsm.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Stuffs\Utilities\Cam\ManifestEngine.exe" boot O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Utilities\Antivirus\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - S-1-5-18 Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE (User 'Default user') O4 - Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: Yoono suggestions - C:\Program Files\Yoono Explorer Bar\Data\yoonoctxmenu.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Stuffs\Downloads\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PD91Agent - Raxco Software, Inc. - D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe O23 - Service: PD91Engine - Raxco Software, Inc. - D:\Program Stuffs\Utilities\perfect disk\PD91Engine.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Stuffs\Utilities\VMware\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\PDVD_4067.gif O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\rhk.gif -- End of file - 7437 bytes

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 04 June 2008 - 07:30 PM

Hi bonkey666, and Welcome to WhatTheTech

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 04 June 2008 - 10:43 PM

bonkey666,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Realspy keystroke logger is installed on your computer. This program performs just like it sounds. It records every keystroke on your computer to monitor activity. Programs such as this are sometimes installed on purpose to monitor activity such as a parent to monitor activity of a child. Did you install this?


You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

B. Now we must disable some of your security programs so that they do not interfere with the running of our tools:

SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

IF YOU INSTALLED ANTIVIRA
AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

IF YOU INSTALLED AVAST

AVAST
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)

IF YOU INSTALLED AVG
AVG
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I'll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.



Go to Posted Image -> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

Posted Image
  • DO NOT USE your computer for any other purpose while ComboFix is running.
  • ComboFix may restart your computer, this is normal.
  • When finished, it will produce a log, ComboFix.txt.
  • Please post ComboFix.txt in your next reply along with a new HijackThis log.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#4 bonkey666

bonkey666

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 05 June 2008 - 01:57 AM

Here is the combofix log:

ComboFix 08-06-04.3 - Snuggle Muffin 2008-06-05 3:43:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.715 [GMT -4:00]
Running from: f:\Utilities\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\.#
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\khfccbx.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 18:40 . 2004-08-04 08:00 185,856 --a------ C:\WINDOWS\system32\framedyn.dll
2008-06-04 14:27 . 2008-06-04 14:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-04 14:25 . 2008-06-04 14:27 <DIR> d-------- C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\.housecall6.6
2008-06-03 15:00 . 2008-06-03 15:00 <DIR> d-------- C:\WINDOWS\RSM
2008-06-03 15:00 . 2008-06-03 15:00 <DIR> d-------- C:\Program Files\MSN Messenger
2008-06-03 14:36 . 2008-06-03 14:36 80 --a------ C:\WINDOWS\RegisterRSM.ini
2008-06-03 14:35 . 2008-06-03 14:39 1,256 --a------ C:\WINDOWS\Monitor.ini
2008-06-03 14:34 . 2008-06-03 14:34 806 --a------ C:\WINDOWS\system32\realspy.lnk
2008-06-03 01:01 . 2008-06-03 14:33 424 --a------ C:\WINDOWS\zipgenius.xml
2008-06-02 11:34 . 2008-06-02 16:58 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-06-02 01:05 . 2008-06-02 13:02 280 --a------ C:\WINDOWS\system32\PDBootState
2008-06-01 20:38 . 2008-06-01 20:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Raxco
2008-06-01 20:38 . 2008-04-10 12:08 71,184 -ra------ C:\WINDOWS\system32\drivers\DefragFS.sys
2008-06-01 10:16 . 2008-06-01 10:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-23 12:45 . 2008-05-23 12:45 <DIR> d-------- C:\Program Files\MySpace
2008-05-22 21:08 . 2008-05-22 21:09 <DIR> d-------- C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\7Wonders
2008-05-20 02:58 . 2008-05-20 02:58 <DIR> d-------- C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\funkitron
2008-05-20 00:19 . 2008-06-04 17:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-20 00:19 . 2008-05-20 00:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 00:18 . 2008-05-20 00:18 313 --a------ C:\WINDOWS\doom3.ini
2008-05-16 16:54 . 2008-05-16 16:56 <DIR> d-------- C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\.SunDownloadManager
2008-05-16 14:29 . 2008-05-16 14:29 <DIR> d-------- C:\Program Files\LiveUpdate
2008-05-16 14:29 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-16 14:29 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-16 14:28 . 2008-05-16 14:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\BVRP Software
2008-05-16 14:26 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-16 14:26 . 2006-10-08 21:51 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-16 14:26 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-05-16 14:26 . 2008-05-16 14:26 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-16 14:26 . 2008-05-16 14:26 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-05-16 14:25 . 2008-05-16 14:25 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-12 21:51 . 2008-05-12 21:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 21:51 . 2008-05-12 21:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-05 11:00 . 2008-05-05 11:00 <DIR> d-------- C:\Program Files\aVis
2008-05-05 10:58 . 2008-05-21 14:12 311 --a------ C:\WINDOWS\SoundGraffiti.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 07:49 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\VMware
2008-06-05 07:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\VMware
2008-06-04 23:39 --------- d-----w C:\Program Files\DivX
2008-06-04 21:25 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\OpenOffice.org2
2008-06-03 05:01 --------- d-----w C:\Program Files\ZipGenius 6
2008-06-03 05:01 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\ZipGenius
2008-06-02 14:56 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\uTorrent
2008-05-16 18:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 17:37 --------- d-----w C:\Program Files\Planestate
2008-05-05 14:58 --------- d-----w C:\Program Files\Winamp
2008-05-04 15:09 --------- d-----w C:\Program Files\Common Files\NSV
2008-05-04 03:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Go Go Gourmet
2008-05-04 02:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-03 21:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-03 21:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 21:18 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-01 23:37 --------- d-----w C:\Program Files\Three Rings Design
2008-05-01 23:36 --------- d-----w C:\Program Files\Java
2008-04-26 05:26 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Darwin
2008-04-26 05:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\rionix
2008-04-25 20:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ScreenSeven
2008-04-25 20:19 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Gamelab
2008-04-25 05:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Oberon Games
2008-04-24 21:58 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\BloodTies
2008-04-24 17:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin
2008-04-24 17:11 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\iWin
2008-04-24 03:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\QB9 S.R.L
2008-04-24 01:40 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\PlayFirst
2008-04-24 01:40 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
2008-04-23 22:38 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Valusoft
2008-04-23 22:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Valusoft
2008-04-23 07:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom
2008-04-23 06:45 126,976 ----a-w C:\WINDOWS\system32\commserv.exe
2008-04-23 06:22 --------- d-----w C:\Program Files\BFG
2008-04-23 06:15 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\GameHouse
2008-04-23 06:14 --------- d-----w C:\Program Files\GameHouse
2008-04-23 06:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MythPeople
2008-04-22 20:01 --------- d-----w C:\Program Files\Evil Player
2008-04-22 02:01 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Atari
2008-04-21 22:09 --------- d-----w C:\Program Files\Notepad++
2008-04-21 07:45 --------- d-----w C:\Program Files\SommerLine
2008-04-21 04:17 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-21 03:50 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Auslogics
2008-04-21 03:49 --------- d-----w C:\Program Files\Auslogics
2008-04-18 20:55 --------- d-----w C:\Program Files\Tank O Box
2008-04-18 20:28 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\flightgear.org
2008-04-18 19:49 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\ImgBurn
2008-04-18 19:43 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\VMware
2008-04-18 19:42 --------- d-----w C:\Program Files\ReNamer
2008-04-18 19:19 --------- d-----w C:\Program Files\AceMoney
2008-04-18 18:10 68,096 ----a-w C:\WINDOWS\ScUnin.exe
2008-04-18 18:01 --------- d-----w C:\Program Files\Wizards of the Coast
2008-04-18 17:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-04-18 17:21 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-18 16:52 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-18 16:51 --------- d-----w C:\Program Files\Crapsoft
2008-04-18 16:24 --------- d-----w C:\Program Files\TUGZip
2008-04-18 16:24 --------- d-----w C:\Program Files\TPlayer
2008-04-18 16:13 --------- d-----w C:\Program Files\Common Files\VMware
2008-04-18 16:09 --------- d-----w C:\Program Files\ScummVM
2008-04-18 16:00 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\MSN Search Toolbar
2008-04-18 15:58 --------- d-----w C:\Program Files\MSN Toolbar Suite
2008-04-18 15:54 --------- d-----w C:\Program Files\Belarc
2008-04-18 15:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MSN Search Toolbar
2008-04-18 15:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-04-18 15:36 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\KompoZer
2008-04-18 15:18 --------- d-----w C:\Program Files\PCPitstop
2008-04-18 15:10 --------- d-----w C:\Program Files\The Great Tree
2008-04-18 05:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HipSoft
2008-04-18 03:28 319 ----a-w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\bbbconfig.dat
2008-04-18 03:11 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\MysteryStudio
2008-04-17 20:28 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\dvdcss
2008-04-17 20:16 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Ahead
2008-04-16 20:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-04-16 17:00 230,664 ----a-w C:\WINDOWS\system32\PDBoot.exe
2008-04-14 22:27 --------- d-----w C:\Program Files\Planematrix
2008-04-14 19:44 --------- d-----w C:\Program Files\ChefTec
2008-04-14 19:44 --------- d-----w C:\Program Files\Borland
2008-04-14 19:29 --------- d-----w C:\Program Files\Stardock
2008-04-14 19:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 03:26 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Notepad++
2008-04-14 00:52 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Dev-Cpp
2008-04-14 00:34 --------- d-----w C:\Program Files\Unlocker
2008-04-14 00:31 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-04-09 20:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MinigolfAdventures
2008-04-09 16:46 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Teggo
2008-04-09 16:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Sandlot Games
2008-04-09 16:30 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Chicken Chase
2008-04-07 20:13 --------- d-----w C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Application Data\Legends of pirates
2008-04-07 18:59 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2008-04-07 18:19 --------- d-----w C:\Program Files\MP3Gain
2008-04-07 16:57 --------- d-----w C:\Program Files\FreshDevices
2008-04-07 16:36 --------- d-----w C:\Program Files\QuickTime
2008-04-07 16:34 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-07 16:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-07 16:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2008-04-07 15:58 --------- d-----w C:\Program Files\IrfanView
2008-04-07 03:41 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-06 02:54 --------- d-----w C:\Program Files\WinPcap
2008-04-05 20:05 --------- d-----w C:\Program Files\USB Driver Vers. 3.2
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@desktop@.dat
.

------- Sigcheck -------

2008-04-04 01:57 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FB63E52-4D6E-48C1-A08F-F630FE50F337}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46A7C608-FBC5-41E3-9DF6-A53D5930C00A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:44 140288]
"LogitechSoftwareUpdate"="D:\Program Stuffs\Utilities\Cam\ManifestEngine.exe" [2004-06-01 06:46 196608]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-04-05 15:01 16384]
"SpybotSD TeaTimer"="C:\Program Files\Utilities\Antivirus\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 19:15 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 19:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-05 01:32 53248]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-05-21 19:11 221184]
"LogitechVideoRepair"="D:\Program Stuffs\Utilities\Cam\ISStart.exe" [2004-06-01 11:09 458752]
"LogitechVideoTray"="D:\Program Stuffs\Utilities\Cam\LogiTray.exe" [2004-06-01 11:03 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-03-01 01:10 15872]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-07 12:35 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

C:\Documents and Settings\Snuggle Muffin.ZOMGWTFBBQ\Start Menu\Programs\Startup\
Genius Tablet.lnk - C:\gtabnt\GTABLET.EXE [2007-02-28 02:37:21 21504]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-04-05 14:56:20 114688]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 18:10:04 238080]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\PDVD_4067.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\rhk.gif
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfccbx]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2005-01-31 18:13 49152 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2008-04-04 15:31 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Real Spy Monitor"="D:\Program Stuffs\Utilities\xp tools\Real Spy Monitor\winrsm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 Active Common Service;Active Common Service;C:\WINDOWS\system32\commserv.exe [2008-04-23 02:45]
R2 PD91Agent;PD91Agent;"D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe" [2008-04-16 13:00]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 PD91Engine;PD91Engine;"D:\Program Stuffs\Utilities\perfect disk\PD91Engine.exe" [2008-04-16 13:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fe771ff-03e6-11dd-a770-0013d45eff1b}]
\Shell\AutoRun\command - PortableApps\BlackBox\blackbox.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 03:48:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
D:\Program Stuffs\Utilities\VMware\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
D:\Program Stuffs\Utilities\Cam\FxSvr2.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-us\msn_sl.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-05 3:53:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 07:53:32

Pre-Run: 4,545,830,912 bytes free
Post-Run: 4,787,118,080 bytes free

293


And here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:54, on 2008-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\commserv.exe
D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
D:\Program Stuffs\Utilities\VMware\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Stuffs\Utilities\Cam\LogiTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Utilities\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Program Stuffs\Utilities\Cam\FxSvr2.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\windowssearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Stuffs\Utilities\Hijak\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Stuffs\Utilities\Cam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Stuffs\Utilities\Cam\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Stuffs\Utilities\Cam\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Utilities\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE (User 'Default user')
O4 - Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: Yoono suggestions - C:\Program Files\Yoono Explorer Bar\Data\yoonoctxmenu.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Stuffs\Downloads\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - D:\Program Stuffs\Utilities\perfect disk\PD91Engine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Stuffs\Utilities\VMware\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\PDVD_4067.gif
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\rhk.gif

--
End of file - 9103 bytes


So far this appears to have solved the problem!
You are wonderful and I thank you so very much, I will be installing antivirus next.

#5 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 05 June 2008 - 04:26 PM

bonkey666, You aren't clean yet. Before we can continue, I need you to install Antivirus and then post a new HijackThis log. I also need to know if you installed the Realspy keystroke logger.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 10 June 2008 - 07:12 AM

bonkey666, How is it going? Are you having trouble with the instructions?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#7 bonkey666

bonkey666

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 11 June 2008 - 08:15 AM

Sorry, I've been away at my mother in laws. Yes I installed the keylogger because someone was dickering with my computer and I wanted proof that they had done it. Here is the new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:47 AM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Stuffs\Utilities\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
D:\Program Stuffs\Utilities\VMware\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Stuffs\Utilities\Cam\LogiTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Stuffs\Utilities\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Utilities\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Program Stuffs\Utilities\Cam\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Stuffs\Utilities\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Stuffs\Utilities\Hijak\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Stuffs\Utilities\Cam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Stuffs\Utilities\Cam\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "D:\Program Stuffs\Utilities\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [svcmon] F:\Utilities\Securing your systems\pin\svcmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Stuffs\Utilities\Cam\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Utilities\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE (User 'Default user')
O4 - Startup: Genius Tablet.lnk = C:\gtabnt\GTABLET.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yoono suggestions - C:\Program Files\Yoono Explorer Bar\Data\yoonoctxmenu.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\UTILIT~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1212878824218
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Utilities\Antivirus\Adaware\aawservice.exe
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Stuffs\Utilities\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Stuffs\Utilities\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Stuffs\Downloads\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - D:\Program Stuffs\Utilities\perfect disk\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - D:\Program Stuffs\Utilities\perfect disk\PD91Engine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Stuffs\Utilities\VMware\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\PDVD_4067.gif
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Snuggle Muffin\My Documents\My Pictures\gif\rhk.gif

--
End of file - 10288 bytes

#8 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 11 June 2008 - 12:37 PM

bonkey666,

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    File::
    C:\WINDOWS\system32\commserv.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FB63E52-4D6E-48C1-A08F-F630FE50F337}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46A7C608-FBC5-41E3-9DF6-A53D5930C00A}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfccbx]
    
    Driver::
    Active Common Service
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

THEN

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

In your next reply please provide:
  • ComboFix.txt
  • Kaspersky report
  • New HijackThis log

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#9 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 16 June 2008 - 11:03 AM

bonkey666, How is it going? Are you still with me?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#10 bonkey666

bonkey666

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 18 June 2008 - 10:29 AM

Yes, there were family problems and ive been gone for a few days, i willl follow your instructions today and post results.

#11 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 18 June 2008 - 01:31 PM

bonkey666, Not a problem. I'll await your information.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#12 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 22 June 2008 - 08:59 PM

bonkey666, How's it going? Were you able to continue?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#13 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 25 June 2008 - 03:18 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users