Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mdmcls32.exe How To Get Rid Of?


  • This topic is locked This topic is locked
13 replies to this topic

#1 BlkOps_Stealth

BlkOps_Stealth

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 04 August 2007 - 10:45 AM

Hi guys,

I've been searching the posts and trying to get rid of mdmcls32.exe on my own before posting a new topic but no luck. Every time I stop the program, it comes back. When I delete the program and remove it from the root dir, it kills my internet connection.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:12 AM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
F:\WINDOWS\cfgmng32.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
F:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\mdmcls32.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\msiexec.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] "F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvHighMem] F:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [RetroExpress] F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail1.gcr.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186213924953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166502772265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail1.gcr.com/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - F:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: WinSock Extention Manager - Unknown owner - F:\WINDOWS\system32\mdmcls32.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 04 August 2007 - 02:12 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum BlkOps_Stealth :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download KillBox,unzip/extract it to your desktop,we'll use it later.
http://download.bleepingcomputer.com/spyware/KillBox.exe

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop WinSock Extention Manager
sc delete WinSock Extention Manager

Restart your pc.

Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
F:\WINDOWS\system32\mdmcls32.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 BlkOps_Stealth

BlkOps_Stealth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 04 August 2007 - 04:37 PM

Thanks Richie, here are the two logs.

ComboFix 07-08-05.3 - "Rob" 2007-08-04 16:23:43.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Autorun.inf
F:\setup.exe
F:\WINDOWS\system32\drivers\filter.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\filter


((((((((((((((((((((((((( Files Created from 2007-07-04 to 2007-08-04 )))))))))))))))))))))))))))))))


2007-08-04 16:21 51,200 --a------ F:\WINDOWS\nircmd.exe
2007-08-04 16:20 1,032,192 --a------ F:\WINDOWS\system32\mdmcls32.exe
2007-08-04 16:04 <DIR> d-------- F:\!KillBox
2007-08-04 13:18 12,800 --a------ F:\WINDOWS\BS_DEF.sys
2007-08-04 11:13 <DIR> d-------- F:\WINDOWS\nview
2007-08-04 09:35 <DIR> d-------- F:\Program Files\Trend Micro
2007-08-04 03:00 <DIR> d-------- F:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-04 02:52 <DIR> d-------- F:\WINDOWS\system32\SoftwareDistribution
2007-07-30 23:42 77,312 --a------ F:\WINDOWS\ua2.dll
2007-07-16 14:19 <DIR> d-------- F:\Program Files\3DGroove


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-04 13:55 22328 --a--c--- F:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-04 13:54 103736 --a--c--- F:\WINDOWS\system32\PnkBstrB.exe
2007-08-04 12:01 --------- d--h----- F:\Program Files\InstallShield Installation Information
2007-08-04 11:53 86016 --a------ F:\WINDOWS\system32\OpenAL32.dll
2007-08-04 11:53 413696 --a------ F:\WINDOWS\system32\wrap_oal.dll
2007-07-27 17:07 783224 --a------ F:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a--c--- F:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a--c--- F:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a--c--- F:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a--c--- F:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a--c--- F:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a--c--- F:\WINDOWS\system32\AVASTSS.scr
2007-06-30 10:21 --------- d-------- F:\Program Files\Kontiki
2007-06-30 10:21 --------- d-------- F:\Program Files\Entriq
2007-06-29 00:43 8466432 --a------ F:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ F:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ F:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ F:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a--c--- F:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6807328 --a------ F:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ F:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ F:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a--c--- F:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-06-29 00:43 5690624 --a------ F:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ F:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ F:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ F:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ F:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ F:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ F:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ F:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ F:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ F:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ F:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ F:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ F:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ F:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ F:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ F:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ F:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ F:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ F:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ F:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ F:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ F:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ F:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ F:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ F:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ F:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ F:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ F:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ F:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ F:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ F:\WINDOWS\system32\nvucode.bin
2007-06-28 01:31 --------- d-------- F:\Program Files\Windows Media Connect 2
2007-05-16 10:12 86528 --a--c--- F:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- F:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- F:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ F:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- F:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- F:\WINDOWS\system32\dllcache\msoe.dll
2007-05-10 23:20 63040 --a------ F:\WINDOWS\system32\PnkBstrA.exe
2007-05-04 07:29 3058688 --a--c--- F:\WINDOWS\system32\dllcache\mshtml.dll
2006-12-27 11:39 17920 --a--c--- F:\DOCUME~1\Rob\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"CTDVDDET"="F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"RCSystem"="F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"AudioDrvEmulator"="F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"VolPanel"="F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 F:\WINDOWS\KHALMNPR.Exe]
"MaxtorOneTouch"="F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 F:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"LogitechCommunicationsManager"="F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
"LVCOMSX"="F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 17:43]
"dvHighMem"="F:\WINDOWS\cfgmng32.exe" [2006-10-15 15:26]
"RetroExpress"="F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 08:22]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 F:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 F:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-03-22 20:40:26]
Logitech SetPoint.lnk - F:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-11-28 19:50:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
f:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-05-05 09:27 65536 f:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"F:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashIcon]
F:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"F:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"F:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
F:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=3 (0x3)
"KService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"medic"="F:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC

R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;F:\WINDOWS\system32\DRIVERS\sbp2port.sys
R2 WinSock Extention Manager;WinSock Extention Manager;F:\WINDOWS\system32\mdmcls32.exe
R3 ha20x2k;Creative 20X HAL Driver;F:\WINDOWS\system32\drivers\ha20x2k.sys
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;F:\WINDOWS\system32\DRIVERS\LHidKE.Sys
R3 LHidUsbK;Logitech SetPoint USB Receiver device driver;F:\WINDOWS\system32\Drivers\LHidUsbK.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;F:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;F:\WINDOWS\system32\DRIVERS\mxofwfp.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;F:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;F:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 MXOPSWD;Maxtor OneTouch Security Driver;F:\WINDOWS\system32\DRIVERS\mxopswd.sys
S2 spupdsvc;Windows Service Pack Installer update service;F:\WINDOWS\system32\spupdsvc.exe
S3 L8042Kbd;Logitech SetPoint Keyboard Driver;F:\WINDOWS\system32\Drivers\L8042Kbd.sys
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;F:\WINDOWS\system32\Drivers\L8042mou.sys
S3 PnkBstrK;PnkBstrK;\??\F:\WINDOWS\system32\drivers\PnkBstrK.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-04 16:26:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-04 16:27:04 - machine was rebooted

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:53 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\WINDOWS\cfgmng32.exe
F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\WINDOWS\system32\mdmcls32.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\System32\wbem\wmiapsrv.exe
F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] "F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvHighMem] F:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [RetroExpress] F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail1.gcr.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186213924953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166502772265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail1.gcr.com/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - F:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - F:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: WinSock Extention Manager - Unknown owner - F:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9098 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 04 August 2007 - 04:45 PM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

------------------------------------------------------------------

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 BlkOps_Stealth

BlkOps_Stealth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 04 August 2007 - 06:30 PM

Scan History Details
Start Date: 8/4/2007 4:55:30 PM
End Date: 8/4/2007 5:30:15 PM
Total Time: 34 Min 45 Sec
Detected security risks

Cookie: AdKnowledge.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@adknowledge[2].txt


Cookie: AdsRemote.Scripps.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@adsremote.scripps[1].txt


Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@atdmt[2].txt


Cookie: BeloInteractive.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@belointeractive[1].txt


Cookie: BurstNet.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@burstnet[2].txt


Cookie: CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@cgi-bin[1].txt
f:\documents and settings\rob\cookies\rob@cgi-bin[2].txt
f:\documents and settings\rob\cookies\rob@cgi-bin[3].txt
f:\documents and settings\rob\cookies\rob@cgi-bin[4].txt
f:\documents and settings\rob\cookies\rob@cgi-bin[5].txt
f:\documents and settings\rob\cookies\rob@cgi-bin[6].txt


Cookie: GeoCities Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@geocities[1].txt


Cookie: LookSmart Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@looksmart[1].txt


Cookie: PriceGrabber Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
f:\documents and settings\rob\cookies\rob@pricegrabber[2].txt

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 04, 2007 6:28:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 5/08/2007
Kaspersky Anti-Virus database records: 349971
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 116549
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:45:37

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Creative\CADI\Preset\PCI_BUS1102-5-211102-EC00.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
F:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
F:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
F:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
F:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
F:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
F:\Program Files\Creative\ShareDLL\CADI\CTPLang.dat Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{DE1CDF1E-918A-4EF5-A322-4250B051B4AE}\RP6\change.log Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat Object is locked skipped
F:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.idx Object is locked skipped
F:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat Object is locked skipped
F:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.idx Object is locked skipped
F:\WINDOWS\rnapxs\rnapxs.dat Object is locked skipped
F:\WINDOWS\rnapxs\StLst\icnStLst.dat Object is locked skipped
F:\WINDOWS\rnapxs\StLst\icnStLst.idx Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\Perflib_Perfdata_704.dat Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:06 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
F:\WINDOWS\cfgmng32.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\mdmcls32.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] "F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvHighMem] F:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [RetroExpress] F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail1.gcr.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186213924953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166502772265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail1.gcr.com/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - F:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - F:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WinSock Extention Manager - Unknown owner - F:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9331 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 04 August 2007 - 07:48 PM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
F:\WINDOWS\system32\mdmcls32.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
F:\WINDOWS\system32\mdmcls32.exe
Then click on 'Send File'.
Post the results into your next reply.

---------------------------------------------------

First back up the registry by doing the following.
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
WinSock Extention Manager
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
WinSock Extention Manager
Right click on it and select 'Delete'.
Then restart your pc.

Post the file scan results and a new Hijackthis log.
Posted Image
Posted Image

#7 BlkOps_Stealth

BlkOps_Stealth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 04 August 2007 - 09:25 PM

Service load: 0% 100%

File: mdmcls32.exe
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d61d8e63a2e5b448bc686847009cd3ed
Packers detected: -
Bit9 reports: No threat detected (more info)
Scan taken on 05 Aug 2007 01:05:23 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Last file scanned at least one scanner reported something about: keylogger2.exe (MD5: 6a90042e79d96ea50095c66fec99569b, size: 2901227 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir SPR/Ardamax.K.Gen
ArcaVir X
Avast X
AVG Antivirus Ardamax.LA
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


WinSock Extention Manager
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button. <----Not able to do this, that option is not available
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.


http://img48.imageshack.us/my.php?image=optionunavailablety2.jpg

When I deleted it from HKEY, it shut down my internet conection and I had to restore my registrybackup to get online again :flowers:

Here is the hijackthis log after the restore :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:21 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
F:\WINDOWS\cfgmng32.exe
F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\mdmcls32.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\System32\wbem\wmiapsrv.exe
F:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe
F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Alwil Software\Avast4\setup\avast.setup
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] "F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvHighMem] F:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [RetroExpress] F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail1.gcr.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186213924953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166502772265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail1.gcr.com/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - F:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - F:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WinSock Extention Manager - Unknown owner - F:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9678 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 August 2007 - 09:27 AM

Lets try this way:
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O23 - Service: WinSock Extention Manager - Unknown owner - F:\WINDOWS\system32\mdmcls32.exe

Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
F:\WINDOWS\system32\mdmcls32.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

If you lose your internet connection again please don't use the registry backup.
Instead click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste NETSH WINSOCK RESET then press Enter.
Type EXIT press Enter.
Restart your pc.

Post a new Hijackthis log.
Posted Image
Posted Image

#9 BlkOps_Stealth

BlkOps_Stealth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 05 August 2007 - 10:07 AM

Deleting it again shut down the internet but the reset worked.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:52 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
F:\WINDOWS\cfgmng32.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] "F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvHighMem] F:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [RetroExpress] F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail1.gcr.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186213924953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166502772265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail1.gcr.com/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - F:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 9101 bytes

It looks like that did the trick but it is still in my Prefetch folder and the registry.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 August 2007 - 10:11 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

---------------------------------------------------------

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#11 BlkOps_Stealth

BlkOps_Stealth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 05 August 2007 - 10:24 AM

ComboFix 07-08-05.3 - "Rob" 2007-08-05 10:21:20.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))


2007-08-04 17:33 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-08-04 17:33 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-04 16:55 0 --a------ F:\WINDOWS\system32\SBRC.dat
2007-08-04 16:55 0 --a------ F:\WINDOWS\system32\SBFC.dat
2007-08-04 16:52 15,544 --a------ F:\WINDOWS\system32\drivers\sbhr.sys
2007-08-04 16:51 <DIR> d-------- F:\Program Files\Sunbelt Software
2007-08-04 16:51 <DIR> d-------- F:\DOCUME~1\Rob\APPLIC~1\Sunbelt Software
2007-08-04 16:51 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-08-04 16:21 51,200 --a------ F:\WINDOWS\nircmd.exe
2007-08-04 16:04 <DIR> d-------- F:\!KillBox
2007-08-04 13:18 12,800 --a------ F:\WINDOWS\BS_DEF.sys
2007-08-04 11:13 <DIR> d-------- F:\WINDOWS\nview
2007-08-04 09:35 <DIR> d-------- F:\Program Files\Trend Micro
2007-08-04 03:00 <DIR> d-------- F:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-04 02:52 <DIR> d-------- F:\WINDOWS\system32\SoftwareDistribution
2007-07-30 23:42 77,312 --a------ F:\WINDOWS\ua2.dll
2007-07-16 14:19 <DIR> d-------- F:\Program Files\3DGroove


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 00:08 22328 --a--c--- F:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-05 00:07 103736 --a--c--- F:\WINDOWS\system32\PnkBstrB.exe
2007-08-04 12:01 --------- d--h----- F:\Program Files\InstallShield Installation Information
2007-08-04 11:53 86016 --a------ F:\WINDOWS\system32\OpenAL32.dll
2007-08-04 11:53 413696 --a------ F:\WINDOWS\system32\wrap_oal.dll
2007-07-27 17:07 783224 --a------ F:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a--c--- F:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a--c--- F:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a--c--- F:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a--c--- F:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a--c--- F:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a--c--- F:\WINDOWS\system32\AVASTSS.scr
2007-06-30 10:21 --------- d-------- F:\Program Files\Kontiki
2007-06-30 10:21 --------- d-------- F:\Program Files\Entriq
2007-06-29 00:43 8466432 --a------ F:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ F:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ F:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ F:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a--c--- F:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6807328 --a------ F:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ F:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ F:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a--c--- F:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-06-29 00:43 5690624 --a------ F:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ F:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ F:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ F:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ F:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ F:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ F:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ F:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ F:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ F:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ F:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ F:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ F:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ F:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ F:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ F:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ F:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ F:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ F:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ F:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ F:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ F:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ F:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ F:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ F:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ F:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ F:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ F:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ F:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ F:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ F:\WINDOWS\system32\nvucode.bin
2007-06-28 01:31 --------- d-------- F:\Program Files\Windows Media Connect 2
2007-06-15 14:37 27376 --a------ F:\WINDOWS\system32\SBBD.exe
2007-05-16 10:12 86528 --a--c--- F:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- F:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- F:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ F:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- F:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- F:\WINDOWS\system32\dllcache\msoe.dll
2007-05-10 23:20 63040 --a------ F:\WINDOWS\system32\PnkBstrA.exe
2006-12-27 11:39 17920 --a--c--- F:\DOCUME~1\Rob\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"CTDVDDET"="F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"RCSystem"="F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"AudioDrvEmulator"="F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"VolPanel"="F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 F:\WINDOWS\KHALMNPR.Exe]
"MaxtorOneTouch"="F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 F:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"LogitechCommunicationsManager"="F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
"LVCOMSX"="F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 17:43]
"dvHighMem"="F:\WINDOWS\cfgmng32.exe" [2006-10-15 15:26]
"RetroExpress"="F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 08:22]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 F:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 F:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SBCSTray"="F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-03-22 20:40:26]
Logitech SetPoint.lnk - F:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-11-28 19:50:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
f:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-05-05 09:27 65536 f:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=F:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"F:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashIcon]
F:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"F:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"F:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
F:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=3 (0x3)
"KService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"medic"="F:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC

R0 SBHR;SBHR;F:\WINDOWS\system32\drivers\sbhr.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;F:\WINDOWS\system32\DRIVERS\sbp2port.sys
R3 ha20x2k;Creative 20X HAL Driver;F:\WINDOWS\system32\drivers\ha20x2k.sys
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;F:\WINDOWS\system32\DRIVERS\LHidKE.Sys
R3 LHidUsbK;Logitech SetPoint USB Receiver device driver;F:\WINDOWS\system32\Drivers\LHidUsbK.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;F:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;F:\WINDOWS\system32\DRIVERS\mxofwfp.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;F:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;F:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 MXOPSWD;Maxtor OneTouch Security Driver;F:\WINDOWS\system32\DRIVERS\mxopswd.sys
S2 spupdsvc;Windows Service Pack Installer update service;F:\WINDOWS\system32\spupdsvc.exe
S3 L8042Kbd;Logitech SetPoint Keyboard Driver;F:\WINDOWS\system32\Drivers\L8042Kbd.sys
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;F:\WINDOWS\system32\Drivers\L8042mou.sys
S3 SBAPIFS;SBAPIFS;\??\F:\WINDOWS\system32\drivers\sbapifs.sys
S4 WinSock Extention Manager;WinSock Extention Manager;F:\WINDOWS\system32\mdmcls32.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 10:21:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-05 10:28:21
F:\ComboFix-quarantined-files.txt ... 2007-08-05 10:28
F:\ComboFix2.txt ... 2007-08-05 10:22
F:\ComboFix3.txt ... 2007-08-04 16:27

--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:44 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
F:\Program Files\Logitech\SetPoint\LBTWiz.exe
F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
F:\WINDOWS\cfgmng32.exe
F:\WINDOWS\CTHELPER.EXE
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
F:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTDVDDET] "F:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "F:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "F:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "F:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] "F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "F:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "F:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvHighMem] F:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [RetroExpress] F:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] F:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Creative Detector] "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail1.gcr.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186213924953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166502772265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal...0_15_Silent.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail1.gcr.com/dwa7W.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - F:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - f:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - F:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - F:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - F:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 9084 bytes

Edited by BlkOps_Stealth, 05 August 2007 - 10:29 AM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 August 2007 - 01:13 PM

You should be able to do the following now without a problem:
Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
WinSock Extention Manager
Right click on it and select 'Delete'.
Then restart your pc.

If you lose your internet connection again please don't use the registry backup.
Instead click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste NETSH WINSOCK RESET then press Enter.
Type EXIT press Enter.
Restart your pc.
-------------------------------------------------

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
KillBox.exe
fix.bat
Combofix.exe

F:\!KillBox
F:\QOOBOX

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#13 BlkOps_Stealth

BlkOps_Stealth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 05 August 2007 - 03:12 PM

Everything works great! Thanks Richie, I appreciate all your help. :thumbsup:

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 August 2007 - 03:30 PM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users