blocked task manager and regedit and show hidden files option

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

blocked task manager and regedit and show hidden files option, blocked regedit and task manager

Options

Mjames View Member Profile	Nov 20 2008, 06:24 PM Post #1
New Member Group: Members Posts: 2 Joined: 20-November 08 Member No.: 258,878	Hi, my computer has infected by virus, the virus created the file CF17156.exe as appear in the log file of COMBOFIX,. The virus blocked the task manager and Register editor, secondly the option show hidden folder can not be save I need every time to choose it. Could you please help me with this problem. I deleted Beisn.exe which the originally file that infected me. Can any one help me to sort the problem? the following is the log of ComboFix ComboFix 08-11-17.01 - 2008-11-21 0:15:25.18 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.640 [GMT 2:00] Running from: D:\ComboFix.exe Command switches used :: c:\documents and settings\Maged\Desktop\CFScript * Created a new restore point FILE :: c:\windows\system32\CF17156.exe c:\windows\system32\drivers\nfmnhi.sys . ((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 ))))))))))))))))))))))))))))))) . 2008-11-20 17:42 . 2008-11-20 03:51 1,602,969 --a------ C:\SDFix.exe 2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\NetworkService 2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\LocalService 2008-11-20 04:11 . 2008-11-20 04:11 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-18 18:44 . 2008-11-18 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-18 18:43 . 2008-11-19 18:02 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-18 18:43 . 2008-11-19 18:02 <DIR> d-------- c:\documents and settings\Maged\Application Data\SUPERAntiSpyware.com 2008-11-18 18:34 . 2008-11-18 18:34 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-11-18 18:13 . 2008-11-18 18:34 410,976 --a------ c:\windows\system32\deploytk.dll 2008-11-18 17:51 . 2008-11-19 18:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-18 17:51 . 2008-11-19 18:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-18 17:02 . 2008-11-18 17:02 <DIR> d-------- c:\program files\Trend Micro 2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Recent 2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Cookies 2008-11-17 20:48 . 2008-11-17 20:48 4,024 --a------ c:\windows\system32\tmp.reg 2008-11-17 20:47 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe 2008-11-17 20:47 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe 2008-11-17 20:47 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe 2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe 2008-11-17 20:47 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe 2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe 2008-11-17 20:47 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe 2008-11-17 20:47 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe 2008-11-17 20:47 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe 2008-11-17 20:47 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe 2008-11-17 11:42 . 2008-11-17 11:42 <DIR> d-------- c:\program files\AnVir Task Manager Pro 2008-11-17 11:41 . 2008-11-17 11:41 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-11-12 19:49 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 19:45 . 2008-09-04 19:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-10-30 18:36 . 2008-10-30 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-10-29 06:44 . 2008-10-30 18:20 <DIR> d-------- c:\program files\Recovery Toolbox for RAR 2008-10-24 08:35 . 2008-10-15 18:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-23 12:21 . 2008-10-23 12:22 <DIR> d-------- c:\documents and settings\Maged\.idlerc 2008-10-23 10:50 . 2004-08-04 15:00 1,039,955 --a--c--- c:\windows\system32\dllcache\cmnresm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-18 16:34 --------- d-----w c:\program files\Java 2008-11-15 09:20 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995 2008-11-09 10:37 --------- d-----w c:\program files\Common Files\Adobe 2008-10-28 17:57 --------- d-----w c:\program files\Free Download Manager 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 10:40 --------- d-----w c:\documents and settings\Maged\Application Data\gtk-2.0 2008-10-13 15:05 --------- d-----w c:\program files\Veritask Software 2008-10-13 12:47 8,959 ----a-w c:\windows\system32\drivers\U3sHlpDr.sys 2008-10-13 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\TST Biometrics 2008-10-13 11:20 --------- d-----w c:\program files\ImageJ 2008-10-12 19:08 --------- d-----w c:\program files\Gimp-2.0 2008-10-12 19:02 --------- d-----w c:\program files\Priore 2008-10-10 09:22 --------- d-----w c:\documents and settings\Maged\Application Data\FinalBurner .ISO 2008-10-10 09:20 --------- d-----w c:\documents and settings\Maged\Application Data\ImgBurn 2008-10-10 09:14 --------- d-----w c:\program files\ImgBurn 2008-10-10 09:14 --------- d-----w c:\documents and settings\Maged\Application Data\DeepBurner 2008-10-10 09:10 --------- d-----w c:\program files\Astonsoft 2008-10-10 08:54 --------- d-----w c:\program files\CDBurnerXP 2008-10-10 08:54 --------- d-----w c:\documents and settings\Maged\Application Data\Canneverbe_Limited 2008-10-07 19:28 --------- d-----w c:\program files\Windows Live Safety Center 2008-10-05 17:15 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia 2008-05-23 11:02 44,120 ----a-w c:\documents and settings\Maged\Application Data\GDIPFONTCACHEV1.DAT 2007-12-30 22:45 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat . ((((((((((((((((((((((((((((( snapshot@2008-11-18_16.35.39.60 ))))))))))))))))))))))))))))))))))))))))) . - 2005-11-28 20:55:58 118,784 ----a-w c:\windows\system32\igfxpers.exe + 2005-11-28 20:55:58 188,416 ----a-w c:\windows\system32\igfxpers.exe - 2008-06-09 22:21:01 135,168 ----a-w c:\windows\system32\java.exe + 2008-11-18 16:34:28 144,792 ----a-w c:\windows\system32\java.exe - 2008-06-09 22:21:04 135,168 ----a-w c:\windows\system32\javaw.exe + 2008-11-18 16:34:28 144,792 ----a-w c:\windows\system32\javaw.exe - 2008-06-09 23:32:34 139,264 ----a-w c:\windows\system32\javaws.exe + 2008-11-18 16:34:28 148,888 ----a-w c:\windows\system32\javaws.exe + 2008-11-20 22:20:06 16,384 ----atw c:\windows\temp\Perflib_Perfdata_cc.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 172032] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 159744] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 188416] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 831577] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 421888] "Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 151552] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 196608] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 745542] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 680006] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 561152] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 255528] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3813376] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 483328] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 210328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 117616] "RTHDCPL"="RTHDCPL.EXE" [2005-12-10 c:\windows\RTHDCPL.exe] "TPSMain"="TPSMain.exe" [2005-08-03 c:\windows\system32\TPSMain.exe] "TFncKy"="TFncKy.exe" [BU] "TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-12-07 1744896] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 161184] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe] "Debugger"=dummy.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe] "Debugger"=dummy.dat [HKLM\~\startupfolder\C:^Documents and Settings^Maged^Start Menu^Programs^Startup^desktop.ini] path=c:\documents and settings\Maged\Start Menu\Programs\Startup\desktop.ini backup=c:\windows\pss\desktop.iniStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"= "c:\\Program Files\\Synaptics\\SynTP\\Toshiba.exe"= "c:\\WINDOWS\\system32\\igfxtray.exe"= "c:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"= "c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\tosBtProc.exe"= "c:\\WINDOWS\\ALCMTR.EXE"= "c:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"= "c:\\WINDOWS\\system32\\hkcmd.exe"= "c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"= "c:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe"= "c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"= "c:\\WINDOWS\\AGRSMMSG.exe"= "c:\\Program Files\\TOSHIBA\\Tvs\\TvsTray.exe"= "c:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe"= "c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"= "c:\\WINDOWS\\system32\\ctfmon.exe"= "c:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"= "c:\\Program Files\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe"= "c:\\WINDOWS\\RTHDCPL.EXE"= "c:\\WINDOWS\\VFIND.exe"= "c:\\WINDOWS\\system32\\CF22634.exe"= "c:\\WINDOWS\\system32\\igfxpers.exe"= R2 U3sHlpDr;U3sHlpDr;\??\c:\windows\System32\Drivers\U3sHlpDr.sys [2008-10-13 8959] R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nfmnhi.sys [] S3 SVRPEDRV;SVRPEDRV;\??\c:\docume~1\Maged\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a3c793-c050-11dc-9581-0018dea43156}] \Shell\Auto\command - app.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL app.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}] \Shell\AutoRun\command - browser.exe . Contents of the 'Scheduled Tasks' folder 2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-11-20 c:\windows\Tasks\User_Feed_Synchronization-{0BE07DAD-2789-4A5B-95AC-ED3C97B2E235}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 18:36] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-21 00:21:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe c:\program files\Synaptics\SynTP\Toshiba.exe c:\windows\system32\TPSBattM.exe c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe . ************************************************************************ . Completion time: 2008-11-21 0:30:27 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-20 22:30:24 ComboFix2.txt 2008-11-20 19:12:04 ComboFix3.txt 2008-11-20 18:26:47 ComboFix4.txt 2008-11-20 16:10:01 ComboFix5.txt 2008-11-20 22:14:45 Pre-Run: 31,933,108,224 bytes free Post-Run: 31,724,781,568 bytes free 230 --- E O F --- 2008-11-13 07:23:03

Replies (1 - 2)

Mjames View Member Profile	Nov 23 2008, 03:28 AM Post #2
New Member Group: Members Posts: 2 Joined: 20-November 08 Member No.: 258,878	Hi, My computer was infected. The virus disable the task manager, register edit and firewall and can not install some antivirus on my machine or open website like trend micro, when I access on internet the virus download three files in my Temp folder. I attach the HijackThis log file and the Combofix as well. Another point, I have linux this computer, Can this virus hidden on linux? Thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:52:26 AM, on 11/23/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\Tvs\TvsTray.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TDispVol.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan O4 - HKUS\S-1-5-19\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe -- End of file - 4482 bytes ________________________________________________________________________________ ____________________________________________ ComboFix 08-11-17.01 - Maged 2008-11-22 22:46:16.34 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.675 [GMT 2:00] Running from: D:\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 ))))))))))))))))))))))))))))))) . 2008-11-22 22:13 . 2008-11-22 22:13 <DIR> d-------- C:\rsit 2008-11-22 22:07 . 2008-11-22 22:12 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- C:\Rustbfix 2008-11-22 21:32 . 2008-11-22 21:32 <DIR> d-------- C:\VundoFix Backups 2008-11-22 21:22 . 2008-11-22 21:22 <DIR> d-------- c:\documents and settings\Maged\Application Data\Malwarebytes 2008-11-22 21:22 . 2008-11-22 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-22 19:23 . 2008-11-22 19:23 7,680 --ahs---- c:\windows\system32\Thumbs.db 2008-11-22 09:00 . 2008-11-22 20:10 <DIR> d-------- C:\SDFix 2008-11-21 10:41 . 2008-11-21 10:41 <DIR> d-------- c:\program files\Lavasoft 2008-11-21 10:40 . 2008-11-21 11:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-21 03:06 . 2008-11-22 20:13 <DIR> d-------- c:\windows\system32\CatRoot2 2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\NetworkService 2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\LocalService 2008-11-18 18:44 . 2008-11-18 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-18 18:43 . 2008-11-21 21:01 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-18 18:43 . 2008-11-21 21:01 <DIR> d-------- c:\documents and settings\Maged\Application Data\SUPERAntiSpyware.com 2008-11-18 18:13 . 2008-11-18 18:34 410,976 --a------ c:\windows\system32\deploytk.dll 2008-11-18 17:51 . 2008-11-21 19:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-18 17:51 . 2008-11-21 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-18 17:02 . 2008-11-18 17:02 <DIR> d-------- c:\program files\Trend Micro 2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Recent 2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Cookies 2008-11-17 20:48 . 2008-11-17 20:48 4,024 --a------ c:\windows\system32\tmp.reg 2008-11-17 20:47 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe 2008-11-17 20:47 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe 2008-11-17 20:47 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe 2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe 2008-11-17 20:47 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe 2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe 2008-11-17 20:47 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe 2008-11-17 20:47 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe 2008-11-17 20:47 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe 2008-11-12 19:49 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 19:45 . 2008-09-04 19:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-10-30 18:36 . 2008-11-22 22:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-10-29 06:44 . 2008-10-30 18:20 <DIR> d-------- c:\program files\Recovery Toolbox for RAR 2008-10-24 08:35 . 2008-10-15 18:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-23 12:21 . 2008-10-23 12:22 <DIR> d-------- c:\documents and settings\Maged\.idlerc 2008-10-23 10:50 . 2004-08-04 15:00 1,039,955 --a--c--- c:\windows\system32\dllcache\cmnresm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-21 17:26 --------- d-----w c:\program files\ImageJ 2008-11-21 17:24 --------- d-----w c:\program files\Java 2008-11-15 09:20 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995 2008-11-09 10:37 --------- d-----w c:\program files\Common Files\Adobe 2008-10-28 17:57 --------- d-----w c:\program files\Free Download Manager 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 12:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 12:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 10:40 --------- d-----w c:\documents and settings\Maged\Application Data\gtk-2.0 2008-10-13 15:05 --------- d-----w c:\program files\Veritask Software 2008-10-13 12:47 8,959 ----a-w c:\windows\system32\drivers\U3sHlpDr.sys 2008-10-13 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\TST Biometrics 2008-10-12 19:02 --------- d-----w c:\program files\Priore 2008-10-10 09:22 --------- d-----w c:\documents and settings\Maged\Application Data\FinalBurner .ISO 2008-10-10 09:20 --------- d-----w c:\documents and settings\Maged\Application Data\ImgBurn 2008-10-10 09:14 --------- d-----w c:\program files\ImgBurn 2008-10-10 09:14 --------- d-----w c:\documents and settings\Maged\Application Data\DeepBurner 2008-10-10 09:10 --------- d-----w c:\program files\Astonsoft 2008-10-10 08:54 --------- d-----w c:\documents and settings\Maged\Application Data\Canneverbe_Limited 2008-10-07 19:28 --------- d-----w c:\program files\Windows Live Safety Center 2008-10-05 17:15 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia 2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-05-23 11:02 44,120 ----a-w c:\documents and settings\Maged\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 172032] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 159744] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 188416] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 831577] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 421888] "Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 151552] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 196608] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 745542] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 680006] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 561152] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 255528] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3813376] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 483328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 117616] "RTHDCPL"="RTHDCPL.EXE" [2005-12-10 c:\windows\RTHDCPL.exe] "TPSMain"="TPSMain.exe" [2005-08-03 c:\windows\system32\TPSMain.exe] "TFncKy"="TFncKy.exe" [BU] "TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-12-07 1814528] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 161184] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe] "Debugger"=dummy.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe] "Debugger"=dummy.dat [HKLM\~\startupfolder\C:^Documents and Settings^Maged^Start Menu^Programs^Startup^desktop.ini] path=c:\documents and settings\Maged\Start Menu\Programs\Startup\desktop.ini backup=c:\windows\pss\desktop.iniStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\AGRSMMSG.exe"= "c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosAVRC.exe"= "c:\\WINDOWS\\system32\\igfxpers.exe"= "c:\\WINDOWS\\system32\\igfxtray.exe"= "c:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"= "c:\\WINDOWS\\system32\\hkcmd.exe"= "c:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe"= "c:\\WINDOWS\\system32\\TPSMain.exe"= "c:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"= "c:\\Program Files\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe"= "c:\\Program Files\\TOSHIBA\\Tvs\\TvsTray.exe"= R2 U3sHlpDr;U3sHlpDr;\??\c:\windows\System32\Drivers\U3sHlpDr.sys [2008-10-13 8959] R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nfmnhi.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a3c793-c050-11dc-9581-0018dea43156}] \Shell\Auto\command - app.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL app.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}] \Shell\AutoRun\command - browser.exe . Contents of the 'Scheduled Tasks' folder 2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-11-22 c:\windows\Tasks\User_Feed_Synchronization-{0BE07DAD-2789-4A5B-95AC-ED3C97B2E235}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 18:36] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Connection Wizard,ShellNext = iexplore O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-22 22:49:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-22 22:54:31 ComboFix-quarantined-files.txt 2008-11-22 20:54:29 ComboFix2.txt 2008-11-22 17:47:35 ComboFix3.txt 2008-11-22 16:47:32 ComboFix4.txt 2008-11-22 16:23:53 ComboFix5.txt 2008-11-22 20:46:05 Pre-Run: 32,073,842,688 bytes free Post-Run: 32,061,071,360 bytes free 198 --- E O F --- 2008-11-13 07:23:03

kahdah View Member Profile	Dec 6 2008, 08:20 AM Post #3
Forum Addict Group: HJT Team Coach Posts: 6,712 Joined: 27-October 06 From: Florida Member No.: 92,376	Hello Mjames Welcome to BleepingComputer ======================== PLease do not run Combofix unless asked to that file : c:\windows\system32\CF17156.exe is part of Combofix not malware. ========================== Download random's system information tool (RSIT) by random/random from here and save it to your desktop. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized) -------------------- Please do not pm for help, post it in the forums instead. If I have helped you then please consider donating to continue the fight against malware

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 10:49 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides