Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove Mdmcls.32


  • Please log in to reply
24 replies to this topic

#1 nt148

nt148

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 18 October 2007 - 06:42 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:03, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe
C:\Program Files\RoboTask\RoboTask.exe
C:\Program Files\Backup Expert\BackupExpert.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?source=navclient-ff
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\PCSecureSystem\Tools\pg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [update_smartcleaner] "C:\Program Files\Smart Cleaner\UUpdate.exe"
O4 - HKLM\..\Run: [SmartCleaner] C:\Program Files\Smart Cleaner\SmartCleaner.exe /SCHEDULED
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [RegDfrgSch] C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe /tray
O4 - HKCU\..\Run: [RoboTask] C:\Program Files\RoboTask\RoboTask.exe
O4 - HKCU\..\Run: [Backup Expert] "C:\Program Files\Backup Expert\BackupExpert.exe" /logon
O4 - HKCU\..\Run: [FileEraser.exe] "C:\Program Files\File Eraser\FileEraser.exe" /minimize
O4 - HKCU\..\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: גוזר מסך של OneNote 2007 ו- Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB29718F-CF4C-480A-A584-266AA705323C}: NameServer = 192.117.235.235 62.219.186.7
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9529 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 October 2007 - 04:38 AM

Hi nt148 and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 22 October 2007 - 04:50 AM

hello,
here are the results of the combofix.
I think that the mdmcls.32 is still here...

ComboFix 07-10-17.8 - Admin 10/22/2007 11:42:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.479 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 09:32 --------- d-----w C:\Program Files\File Eraser
2007-10-18 14:56 --------- d-----w C:\Program Files\Webteh
2007-10-18 14:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 13:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-18 13:28 --------- d-----w C:\Program Files\Google
2007-10-18 13:25 --------- d-----w C:\Program Files\Backup Expert
2007-10-18 13:25 --------- d-----w C:\Program Files\Advanced Registry Doctor
2007-10-18 11:18 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-10-18 10:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 10:53 --------- d-----w C:\Program Files\Common Files\PCSecureSystem
2007-10-18 07:28 --------- d-----w C:\Program Files\Windows Desktop Search
2007-10-18 07:28 --------- d-----w C:\Program Files\RoboTask
2007-10-17 13:00 15,544 ----a-w C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-17 12:31 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sunbelt Software
2007-10-17 12:17 1,032,192 ----a-w C:\WINDOWS\system32\mdmcls32.exe
2007-10-17 12:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg
2007-10-17 11:52 --------- d-----w C:\Program Files\Smart Cleaner
2007-10-17 09:23 2,064,384 ----a-w C:\WINDOWS\system32\win32cpr.dll
2007-10-17 09:23 1,294,425 ----a-w C:\WINDOWS\system32\winsflt.dll
2007-10-15 13:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-10-15 12:12 --------- d-----w C:\Program Files\InCode Solutions
2007-10-15 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2007-10-15 08:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\PCSecureSystem
2007-10-14 16:03 --------- d-----w C:\Program Files\R-Studio
2007-10-14 16:02 --------- d-----w C:\Program Files\PrivacyEraser Computing
2007-10-11 10:08 --------- d-----w C:\Program Files\ImageComparer
2007-10-11 10:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Obsidium
2007-10-10 15:18 --------- d-----w C:\Program Files\JitBit
2007-10-09 17:16 --------- d-----w C:\Program Files\DivX
2007-10-09 14:59 --------- d-----w C:\Program Files\Elecard
2007-10-09 14:59 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-09 10:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\Backup Expert
2007-10-09 10:14 --------- d-----w C:\Program Files\Java
2007-10-09 10:13 --------- d-----w C:\Program Files\Common Files\Java
2007-10-09 10:00 --------- d-----w C:\Program Files\Zipeg
2007-10-09 08:16 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-10-09 07:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-08 14:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\gtk-2.0
2007-10-03 22:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 17:51 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bildsoft
2007-10-01 17:48 --------- d-----w C:\Program Files\Bildsoft
2007-10-01 17:16 --------- d-----w C:\Program Files\XP SafeGuard
2007-09-28 13:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\DivX
2007-09-28 13:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2007-09-27 15:05 21,656 ----a-w C:\WINDOWS\system32\novamns5.dll
2007-09-27 15:05 18,072 ----a-w C:\WINDOWS\system32\novamis5.dll
2007-09-24 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.3409831b-d15a-4c83-8948-a4c852121285
2007-09-24 14:26 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 14:26 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-09-24 14:26 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-20 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-09-20 10:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\ZoomBrowser EX
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-05 22:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
2007-09-05 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-09-05 10:30 --------- d-----w C:\Program Files\Softland
2007-09-03 15:48 --------- d-----w C:\Program Files\Ligature
2007-09-02 15:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2007-08-31 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BufferZone
2007-08-29 01:02 --------- d-----w C:\Program Files\Ss-Tools
2007-08-27 11:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-27 09:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-27 03:29 --------- d-----w C:\Program Files\DiskSweeper20
2007-08-27 03:11 --------- d-----w C:\Program Files\ICQToolbar
2007-08-27 01:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQ Toolbar
2007-08-27 01:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQLite
2007-08-26 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-08-26 16:19 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-08-26 16:19 --------- d-----w C:\Program Files\Common Files\Acronis
2007-08-26 16:19 --------- d-----w C:\Program Files\Acronis
2007-08-26 16:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.16018351-6719-4c34-ac76-095c862cd941
2007-08-26 15:39 --------- d-----w C:\Program Files\A-FF Find and Mount
2007-08-26 13:57 --------- d-----w C:\Program Files\i2i Internet Solutions
2007-08-26 12:50 --------- d-----w C:\Program Files\CCleaner
2007-08-26 11:28 --------- d-----w C:\Program Files\MediaRescue Pro
2007-08-26 11:25 --------- d-----w C:\Program Files\RegistryFix
2007-08-24 11:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.5a58da40-59cb-439a-801c-741356657e86
2007-08-23 16:59 --------- d-----w C:\Program Files\Argentum Backup
2007-08-23 16:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\Argentum
2007-08-22 20:53 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.8f17a359-549c-4e2e-b6fd-8328ac4bf33e
2007-08-22 20:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.ff2a6576-9c35-4f02-aae4-b7e5a140619d
2007-08-22 19:53 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.b0f88335-7db4-4eb7-bf56-968ca3096a34
2007-08-22 10:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 14:03 21,656 ----a-w C:\WINDOWS\system32\novamnp5.dll
2007-08-20 14:03 18,072 ----a-w C:\WINDOWS\system32\novamip5.dll
2007-08-16 06:56 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-08-16 06:56 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2007-08-08 14:30 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-02 16:11 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 16:11 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 16:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 16:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 16:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 16:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 16:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
.

((((((((((((((((((((((((((((( snapshot@Wed 10-17-2007_14.03.28.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 06:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-10-17 12:31:40 19,230 ----a-r C:\WINDOWS\Installer\{A5CC3E6E-CAC7-4D47-A5C8-743E549890D5}\ARPPRODUCTICON.exe
+ 2007-10-18 10:58:16 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-18 10:58:16 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-18 10:58:16 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-10-17 11:59:27 46,649,344 ----a-w C:\WINDOWS\rnapxs\StLst\icnStLst.dat
+ 2007-10-22 09:37:59 56,459,264 ----a-w C:\WINDOWS\rnapxs\StLst\icnStLst.dat
+ 2007-03-29 07:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 14:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 12:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 09:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 11:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 16:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 16:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 13:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 11:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 08:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 11:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 16:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 14:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 12:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 12:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 11:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 11:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 09:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 09:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 06:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 12:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 08:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 08:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 14:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 07:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 08:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 12:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 12:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 11:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 06:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 06:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 15:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 12:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 04:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 15:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 10:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2006-10-30 09:30:30 10,032 ----a-w C:\WINDOWS\system32\drivers\SBTEDrv.sys
+ 2004-07-31 16:50:36 51,200 ----a-w C:\WINDOWS\system32\dumphive.exe
+ 2005-11-02 09:39:14 131,072 ----a-w C:\WINDOWS\system32\MD5.dll
+ 2005-11-02 09:39:16 24,924 ----a-w C:\WINDOWS\system32\openports.dll
+ 2003-06-05 19:13:00 53,248 ----a-w C:\WINDOWS\system32\Process.exe
+ 2003-02-21 05:16:08 49,152 ----a-w C:\WINDOWS\system32\REGTLIB.EXE
+ 2005-11-02 09:39:16 40,960 ----a-w C:\WINDOWS\system32\SDelete.dll
+ 2006-04-27 15:49:30 288,417 ----a-w C:\WINDOWS\system32\SrchSTS.exe
+ 2006-06-22 13:40:28 493,400 ----a-w C:\WINDOWS\system32\XceedZip.dll
+ 2003-03-25 16:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}]
C:\Program Files\PCSecureSystem\Tools\pg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAAD2038-C371-473D-86F1-5B11D39C3775}]
C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07/27/2007 08:39 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [02/26/2007 01:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/24/2007 04:26 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/26/2005 06:14 PM]
"dvHighMem"="C:\WINDOWS\cfgmng32.exe" [01/09/2007 03:36 PM]
"update_smartcleaner"="C:\Program Files\Smart Cleaner\UUpdate.exe" [10/10/2007 12:20 PM]
"SmartCleaner"="C:\Program Files\Smart Cleaner\SmartCleaner.exe" [10/11/2007 08:14 AM]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 02:00 PM]
"I&F Viewer toolbar"="C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" [10/27/2006 08:34 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 12:39 PM]
"RegDfrgSch"="C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe" [09/20/2007 01:38 PM]
"RoboTask"="C:\Program Files\RoboTask\RoboTask.exe" [09/25/2007 04:05 PM]
"Backup Expert"="C:\Program Files\Backup Expert\BackupExpert.exe" [09/20/2007 02:01 PM]
"FileEraser.exe"="C:\Program Files\File Eraser\FileEraser.exe" [07/12/2006 12:15 AM]
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/17/2007 12:25 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
ŽŠ Œ OneNote 2007 - Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 05:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 18:08:24]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 02:39 PM 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R2 atchksrv;Intel® AMT System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe
R2 LMS;Intel® Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe
R2 WinSock Extention Manager;WinSock Extention Manager;C:\WINDOWS\system32\mdmcls32.exe
R3 akshasp;Aladdin HASP Key;C:\WINDOWS\system32\DRIVERS\akshasp.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 DVR3KUSB;DVR3KUSB.Sys Digital Voice Recorder 3K device driver;C:\WINDOWS\system32\Drivers\DVR3KUSB.sys
S3 slicedisk.sys;slicedisk.sys;\??\C:\WINDOWS\system32\slicedisk.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-08-12 10:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-07 00:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-22 09:31:44 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 11:46:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 10/22/2007 11:47:59
C:\ComboFix2.txt ... 10/17/2007 02:04 PM
.
--- E O F ---

#4 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 October 2007 - 04:53 AM

and here are the HJT results.

Thank you for everything and what should I do next?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:10, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe
C:\Program Files\RoboTask\RoboTask.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Backup Expert\BackupExpert.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?source=navclient-ff
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\PCSecureSystem\Tools\pg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [update_smartcleaner] "C:\Program Files\Smart Cleaner\UUpdate.exe"
O4 - HKLM\..\Run: [SmartCleaner] C:\Program Files\Smart Cleaner\SmartCleaner.exe /SCHEDULED
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [RegDfrgSch] C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe /tray
O4 - HKCU\..\Run: [RoboTask] C:\Program Files\RoboTask\RoboTask.exe
O4 - HKCU\..\Run: [Backup Expert] "C:\Program Files\Backup Expert\BackupExpert.exe" /logon
O4 - HKCU\..\Run: [FileEraser.exe] "C:\Program Files\File Eraser\FileEraser.exe" /minimize
O4 - HKCU\..\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: גוזר מסך של OneNote 2007 ו- Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB29718F-CF4C-480A-A584-266AA705323C}: NameServer = 192.117.235.235 62.219.186.7
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9640 bytes

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2007 - 05:36 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

Driver::
WinSock Extention Manager
File::
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll
C:\WINDOWS\cfgmng32.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dvHighMem"=-

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#6 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 23 October 2007 - 09:49 AM

ComboFix 07-10-17.8 - Admin 10/23/2007 16:16:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.449 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINSOCK_EXTENTION_MANAGER
-------\WinSock Extention Manager


((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 14:22 --------- d-----w C:\Program Files\File Eraser
2007-10-23 14:05 --------- d-----w C:\Program Files\Zipeg
2007-10-23 14:05 --------- d-----w C:\Program Files\Clone Terminator
2007-10-23 14:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg
2007-10-23 13:59 --------- d-----w C:\Program Files\MultiStage Recovery
2007-10-22 16:01 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 10:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\ZoomBrowser EX
2007-10-22 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-18 14:56 --------- d-----w C:\Program Files\Webteh
2007-10-18 14:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 13:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-18 13:28 --------- d-----w C:\Program Files\Google
2007-10-18 13:25 --------- d-----w C:\Program Files\Backup Expert
2007-10-18 13:25 --------- d-----w C:\Program Files\Advanced Registry Doctor
2007-10-18 11:18 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-10-18 10:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 10:53 --------- d-----w C:\Program Files\Common Files\PCSecureSystem
2007-10-18 07:28 --------- d-----w C:\Program Files\Windows Desktop Search
2007-10-18 07:28 --------- d-----w C:\Program Files\RoboTask
2007-10-17 13:00 15,544 ----a-w C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-17 12:31 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sunbelt Software
2007-10-17 11:52 --------- d-----w C:\Program Files\Smart Cleaner
2007-10-15 13:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-10-15 12:12 --------- d-----w C:\Program Files\InCode Solutions
2007-10-15 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2007-10-15 08:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\PCSecureSystem
2007-10-14 16:03 --------- d-----w C:\Program Files\R-Studio
2007-10-14 16:02 --------- d-----w C:\Program Files\PrivacyEraser Computing
2007-10-11 10:08 --------- d-----w C:\Program Files\ImageComparer
2007-10-11 10:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Obsidium
2007-10-10 15:18 --------- d-----w C:\Program Files\JitBit
2007-10-09 17:16 --------- d-----w C:\Program Files\DivX
2007-10-09 14:59 --------- d-----w C:\Program Files\Elecard
2007-10-09 14:59 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-09 10:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\Backup Expert
2007-10-09 10:14 --------- d-----w C:\Program Files\Java
2007-10-09 10:13 --------- d-----w C:\Program Files\Common Files\Java
2007-10-09 08:16 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-10-09 07:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-08 14:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\gtk-2.0
2007-10-03 22:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 17:51 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bildsoft
2007-10-01 17:48 --------- d-----w C:\Program Files\Bildsoft
2007-10-01 17:16 --------- d-----w C:\Program Files\XP SafeGuard
2007-09-28 13:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\DivX
2007-09-28 13:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2007-09-27 15:05 21,656 ----a-w C:\WINDOWS\system32\novamns5.dll
2007-09-27 15:05 18,072 ----a-w C:\WINDOWS\system32\novamis5.dll
2007-09-24 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.3409831b-d15a-4c83-8948-a4c852121285
2007-09-24 14:26 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 14:26 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-09-24 14:26 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-05 22:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
2007-09-05 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-09-05 10:30 --------- d-----w C:\Program Files\Softland
2007-09-03 15:48 --------- d-----w C:\Program Files\Ligature
2007-09-02 15:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2007-08-31 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BufferZone
2007-08-29 01:02 --------- d-----w C:\Program Files\Ss-Tools
2007-08-27 11:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-27 09:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-27 03:29 --------- d-----w C:\Program Files\DiskSweeper20
2007-08-27 03:11 --------- d-----w C:\Program Files\ICQToolbar
2007-08-27 01:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQ Toolbar
2007-08-27 01:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQLite
2007-08-26 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-08-26 16:19 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-08-26 16:19 --------- d-----w C:\Program Files\Common Files\Acronis
2007-08-26 16:19 --------- d-----w C:\Program Files\Acronis
2007-08-26 16:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.16018351-6719-4c34-ac76-095c862cd941
2007-08-26 15:39 --------- d-----w C:\Program Files\A-FF Find and Mount
2007-08-26 13:57 --------- d-----w C:\Program Files\i2i Internet Solutions
2007-08-26 12:50 --------- d-----w C:\Program Files\CCleaner
2007-08-26 11:28 --------- d-----w C:\Program Files\MediaRescue Pro
2007-08-26 11:25 --------- d-----w C:\Program Files\RegistryFix
2007-08-24 11:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.5a58da40-59cb-439a-801c-741356657e86
2007-08-23 16:59 --------- d-----w C:\Program Files\Argentum Backup
2007-08-23 16:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\Argentum
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 14:03 21,656 ----a-w C:\WINDOWS\system32\novamnp5.dll
2007-08-20 14:03 18,072 ----a-w C:\WINDOWS\system32\novamip5.dll
2007-08-16 06:56 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-08-16 06:56 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2007-08-08 14:30 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-02 16:11 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 16:11 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 16:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 16:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 16:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 16:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 16:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 16:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 16:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 16:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-27 13:49 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
.

((((((((((((((((((((((((((((( snapshot_Mon 10-22-2007_11.46.50.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 08:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-10-22 09:37:59 56,459,264 ----a-w C:\WINDOWS\rnapxs\StLst\icnStLst.dat
+ 2007-10-23 14:00:31 57,319,424 ----a-w C:\WINDOWS\rnapxs\StLst\icnStLst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}]
C:\Program Files\PCSecureSystem\Tools\pg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAAD2038-C371-473D-86F1-5B11D39C3775}]
C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07/27/2007 08:39 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [02/26/2007 01:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/24/2007 04:26 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/26/2005 06:14 PM]
"update_smartcleaner"="C:\Program Files\Smart Cleaner\UUpdate.exe" [10/10/2007 12:20 PM]
"SmartCleaner"="C:\Program Files\Smart Cleaner\SmartCleaner.exe" [10/11/2007 08:14 AM]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 02:00 PM]
"I&F Viewer toolbar"="C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" [10/27/2006 08:34 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 12:39 PM]
"RegDfrgSch"="C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe" [09/20/2007 01:38 PM]
"RoboTask"="C:\Program Files\RoboTask\RoboTask.exe" [09/25/2007 04:05 PM]
"Backup Expert"="C:\Program Files\Backup Expert\BackupExpert.exe" [09/20/2007 02:01 PM]
"FileEraser.exe"="C:\Program Files\File Eraser\FileEraser.exe" [07/12/2006 12:15 AM]
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/17/2007 12:25 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
ŽŠ Œ OneNote 2007 - Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 05:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 18:08:24]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 02:39 PM 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R2 atchksrv;Intel® AMT System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe
R2 LMS;Intel® Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe
R3 akshasp;Aladdin HASP Key;C:\WINDOWS\system32\DRIVERS\akshasp.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 DVR3KUSB;DVR3KUSB.Sys Digital Voice Recorder 3K device driver;C:\WINDOWS\system32\Drivers\DVR3KUSB.sys
S3 slicedisk.sys;slicedisk.sys;\??\C:\WINDOWS\system32\slicedisk.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-08-12 10:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-07 00:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-23 14:22:20 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 16:22:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/23/2007 16:24:19 - machine was rebooted
C:\ComboFix2.txt ... 10/22/2007 11:48 AM
C:\ComboFix3.txt ... 10/17/2007 02:04 PM
.
--- E O F ---


-------------------------------------------------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2[/b][/u]
Scan saved at 16:35:17, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe
C:\Program Files\RoboTask\RoboTask.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Backup Expert\BackupExpert.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?source=navclient-ff
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\PCSecureSystem\Tools\pg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [update_smartcleaner] "C:\Program Files\Smart Cleaner\UUpdate.exe"
O4 - HKLM\..\Run: [SmartCleaner] C:\Program Files\Smart Cleaner\SmartCleaner.exe /SCHEDULED
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [RegDfrgSch] C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe /tray
O4 - HKCU\..\Run: [RoboTask] C:\Program Files\RoboTask\RoboTask.exe
O4 - HKCU\..\Run: [Backup Expert] "C:\Program Files\Backup Expert\BackupExpert.exe" /logon
O4 - HKCU\..\Run: [FileEraser.exe] "C:\Program Files\File Eraser\FileEraser.exe" /minimize
O4 - HKCU\..\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: גוזר מסך של OneNote 2007 ו- Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9588 bytes

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 October 2007 - 01:24 PM

Look in add/remove programs and remove the entry for PCSecureSystem

You have some other cleaner type apps in there Im not so sure about either.

After that,make sure NOD is up to date and then physically unplug your internet connection.

Restart in safe mode and find the script you created before and rename it back to CFScript.txt

Run the script just as you did before and when its finished and before you reconnect to the internet,Scan the whole system with NOD and remove anything it finds.

#8 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 24 October 2007 - 10:25 AM

hello and thanhs again,
I have done all.
what next?
and what to do with all the programs I have upload for this ?

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2007 - 03:38 PM

I need to see the new ComboFix log and a fresh HijackThis log.

Did NOD find anything in the scan?

#10 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 25 October 2007 - 07:43 AM

ComboFix 07-10-17.8 - Admin 10/24/2007 15:20:39.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.774 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt

FILE::
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINSOCK_EXTENTION_MANAGER
-------\WinSock Extention Manager


((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 13:26 --------- d-----w C:\Program Files\File Eraser
2007-10-23 14:05 --------- d-----w C:\Program Files\Zipeg
2007-10-23 14:05 --------- d-----w C:\Program Files\Clone Terminator
2007-10-23 14:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg
2007-10-23 13:59 --------- d-----w C:\Program Files\MultiStage Recovery
2007-10-22 16:01 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 10:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\ZoomBrowser EX
2007-10-22 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-18 14:56 --------- d-----w C:\Program Files\Webteh
2007-10-18 14:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 13:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-18 13:28 --------- d-----w C:\Program Files\Google
2007-10-18 13:25 --------- d-----w C:\Program Files\Backup Expert
2007-10-18 13:25 --------- d-----w C:\Program Files\Advanced Registry Doctor
2007-10-18 11:18 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-10-18 10:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 10:53 --------- d-----w C:\Program Files\Common Files\PCSecureSystem
2007-10-18 07:28 --------- d-----w C:\Program Files\Windows Desktop Search
2007-10-18 07:28 --------- d-----w C:\Program Files\RoboTask
2007-10-17 13:00 15,544 ----a-w C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-17 12:31 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sunbelt Software
2007-10-17 11:52 --------- d-----w C:\Program Files\Smart Cleaner
2007-10-15 13:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-10-15 12:12 --------- d-----w C:\Program Files\InCode Solutions
2007-10-15 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2007-10-15 08:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\PCSecureSystem
2007-10-14 16:03 --------- d-----w C:\Program Files\R-Studio
2007-10-14 16:02 --------- d-----w C:\Program Files\PrivacyEraser Computing
2007-10-11 10:08 --------- d-----w C:\Program Files\ImageComparer
2007-10-11 10:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Obsidium
2007-10-10 15:18 --------- d-----w C:\Program Files\JitBit
2007-10-09 17:16 --------- d-----w C:\Program Files\DivX
2007-10-09 14:59 --------- d-----w C:\Program Files\Elecard
2007-10-09 14:59 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-09 10:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\Backup Expert
2007-10-09 10:14 --------- d-----w C:\Program Files\Java
2007-10-09 10:13 --------- d-----w C:\Program Files\Common Files\Java
2007-10-09 08:16 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-10-09 07:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-08 14:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\gtk-2.0
2007-10-03 22:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 17:51 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bildsoft
2007-10-01 17:48 --------- d-----w C:\Program Files\Bildsoft
2007-10-01 17:16 --------- d-----w C:\Program Files\XP SafeGuard
2007-09-28 13:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\DivX
2007-09-28 13:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2007-09-27 15:05 21,656 ----a-w C:\WINDOWS\system32\novamns5.dll
2007-09-27 15:05 18,072 ----a-w C:\WINDOWS\system32\novamis5.dll
2007-09-24 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.3409831b-d15a-4c83-8948-a4c852121285
2007-09-24 14:26 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 14:26 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-09-24 14:26 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-05 22:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
2007-09-05 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-09-05 10:30 --------- d-----w C:\Program Files\Softland
2007-09-03 15:48 --------- d-----w C:\Program Files\Ligature
2007-09-02 15:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2007-08-31 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BufferZone
2007-08-29 01:02 --------- d-----w C:\Program Files\Ss-Tools
2007-08-27 11:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-27 09:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-27 03:29 --------- d-----w C:\Program Files\DiskSweeper20
2007-08-27 03:11 --------- d-----w C:\Program Files\ICQToolbar
2007-08-27 01:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQ Toolbar
2007-08-27 01:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQLite
2007-08-26 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-08-26 16:19 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-08-26 16:19 --------- d-----w C:\Program Files\Common Files\Acronis
2007-08-26 16:19 --------- d-----w C:\Program Files\Acronis
2007-08-26 16:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.16018351-6719-4c34-ac76-095c862cd941
2007-08-26 15:39 --------- d-----w C:\Program Files\A-FF Find and Mount
2007-08-26 13:57 --------- d-----w C:\Program Files\i2i Internet Solutions
2007-08-26 12:50 --------- d-----w C:\Program Files\CCleaner
2007-08-26 11:28 --------- d-----w C:\Program Files\MediaRescue Pro
2007-08-26 11:25 --------- d-----w C:\Program Files\RegistryFix
2007-08-24 11:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.5a58da40-59cb-439a-801c-741356657e86
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 14:03 21,656 ----a-w C:\WINDOWS\system32\novamnp5.dll
2007-08-20 14:03 18,072 ----a-w C:\WINDOWS\system32\novamip5.dll
2007-08-16 06:56 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-08-16 06:56 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2007-08-08 14:30 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-02 16:11 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 16:11 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 16:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 16:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 16:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 16:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 16:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 16:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 16:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 16:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-27 13:49 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 13:49 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
.

((((((((((((((((((((((((((((( snapshot_Mon 10-22-2007_11.46.50.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 08:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-09-02 15:30:52 69,632 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
+ 2007-10-23 17:06:10 69,632 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\domainNames.dat
- 2007-09-02 15:30:52 1,351,680 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
+ 2007-10-24 12:27:55 1,351,680 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
- 2007-10-22 09:37:59 56,459,264 ----a-w C:\WINDOWS\rnapxs\StLst\icnStLst.dat
+ 2007-10-24 12:34:31 49,319,936 ----a-w C:\WINDOWS\rnapxs\StLst\icnStLst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}]
C:\Program Files\PCSecureSystem\Tools\pg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAAD2038-C371-473D-86F1-5B11D39C3775}]
C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07/27/2007 08:39 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [02/26/2007 01:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/24/2007 04:26 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/26/2005 06:14 PM]
"update_smartcleaner"="C:\Program Files\Smart Cleaner\UUpdate.exe" [10/10/2007 12:20 PM]
"SmartCleaner"="C:\Program Files\Smart Cleaner\SmartCleaner.exe" [10/11/2007 08:14 AM]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 02:00 PM]
"I&F Viewer toolbar"="C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" [10/27/2006 08:34 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 12:39 PM]
"RegDfrgSch"="C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe" [09/20/2007 01:38 PM]
"RoboTask"="C:\Program Files\RoboTask\RoboTask.exe" [09/25/2007 04:05 PM]
"Backup Expert"="C:\Program Files\Backup Expert\BackupExpert.exe" [09/20/2007 02:01 PM]
"FileEraser.exe"="C:\Program Files\File Eraser\FileEraser.exe" [07/12/2006 12:15 AM]
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/17/2007 12:25 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
ŽŠ Œ OneNote 2007 - Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 05:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 18:08:24]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 02:39 PM 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R2 atchksrv;Intel® AMT System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe
R2 LMS;Intel® Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe
R3 akshasp;Aladdin HASP Key;C:\WINDOWS\system32\DRIVERS\akshasp.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 DVR3KUSB;DVR3KUSB.Sys Digital Voice Recorder 3K device driver;C:\WINDOWS\system32\Drivers\DVR3KUSB.sys
S3 slicedisk.sys;slicedisk.sys;\??\C:\WINDOWS\system32\slicedisk.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-08-12 10:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-07 00:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-24 13:26:17 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 15:26:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/24/2007 15:28:10 - machine was rebooted
C:\ComboFix2.txt ... 10/23/2007 04:24 PM
C:\ComboFix3.txt ... 10/22/2007 11:48 AM
.
--- E O F ---
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38:38, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe
C:\Program Files\RoboTask\RoboTask.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Backup Expert\BackupExpert.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\ComfortKeys\CKeys.exe
C:\Program Files\ComfortKeys\CKeysCm.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?source=navclient-ff
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\PCSecureSystem\Tools\pg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\PCSecureSystem\Tools\IEFWBHO.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [update_smartcleaner] "C:\Program Files\Smart Cleaner\UUpdate.exe"
O4 - HKLM\..\Run: [SmartCleaner] C:\Program Files\Smart Cleaner\SmartCleaner.exe /SCHEDULED
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [CKeys] C:\Program Files\ComfortKeys\CKeys.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [RegDfrgSch] C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe /tray
O4 - HKCU\..\Run: [RoboTask] C:\Program Files\RoboTask\RoboTask.exe
O4 - HKCU\..\Run: [Backup Expert] "C:\Program Files\Backup Expert\BackupExpert.exe" /logon
O4 - HKCU\..\Run: [FileEraser.exe] "C:\Program Files\File Eraser\FileEraser.exe" /minimize
O4 - HKCU\..\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: גוזר מסך של OneNote 2007 ו- Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB29718F-CF4C-480A-A584-266AA705323C}: NameServer = 192.115.106.35 62.219.186.7
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

--
End of file - 9924 bytes


nod has found few threarts wich i have deleted as you've told me to do and 2 threats in the sdfix backup files which couldn't be deleted through the scan options so i have deleted the whole sdfix backup file.

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 10:24 AM

Ive spoke with Andy,the author of SDFix and if we can get some samples,we will get this added to SDFix.

Look on your C:\ drive for the folder Qoobox,look inside the Quarantine folder for the folder labeled C

Inside the C folder should be copies of all these
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll

If so,right click the C folder and select Send To--> Compressed (Zipped) Folders.

Then upload that new zipped folder to the link below and post back letting me know its uploaded and Ill get those over to Andy.
http://www.bleepingcomputer.com/submit-malware.php?channel=4

Next,I need to get the rouge app off there,
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe"

Did you check Add\Remove Programs for an entry to remove this?

#12 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 28 October 2007 - 01:07 AM

i have found of all these
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll,
but i don't have the option to zip them when i right click...

and also i don't find the pcsecure not in the add/remove nor in "c".

#13 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 28 October 2007 - 01:07 AM

i have found of all these
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll,
but i don't have the option to zip them when i right click...

and also i don't find the pcsecure not in the add/remove nor in "c".

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 October 2007 - 09:31 AM

Go to http://uploadmalware.com/ and upload all 4 of those files please,leave your name and link back to this topic so I know who it is.

Next,I need you to physically unplug your internet connection and dont reconnect it until I ask please.

Click Start-> Run-> Type in Services.msc and Click OK

Scroll that list and locate this entry

WinSock Extention Manager

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled

Click Apply-> OK and Exit the Services Page


Copy the text below to notepad and save it to the desktop with the name CFScript.txt

Driver::
WinSock Extention Manager
File::
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll
C:\WINDOWS\cfgmng32.exe
Folder::
C:\Program Files\PCSecureSystem
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dvHighMem"=-
"PCSecureSystem"=-

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.

Once ComboFix has finished,Go to Start--> Run--> Copy&Paste the bold text below into the open run box and click OK.

netsh winsock reset catalog

Restart the computer once more and then reconnect your internet connection.

Scan fresh with HijackThis and post those results along with the new ComboFix log.

#15 nt148

nt148
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 01 November 2007 - 06:54 AM

ComboFix 07-11-01.1 - Admin 11/01/2007 13:30:06.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.460 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\win32cpr.dll
C:\WINDOWS\system32\winsflt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINSOCK_EXTENTION_MANAGER
-------\WinSock Extention Manager


((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 11:35 --------- d-----w C:\Program Files\File Eraser
2007-10-28 06:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg
2007-10-28 05:59 --------- d-----w C:\Program Files\Zipeg
2007-10-25 12:34 --------- d-----w C:\Documents and Settings\Admin\Application Data\ComfortSoftware
2007-10-25 12:33 --------- d-----w C:\Program Files\ComfortKeys
2007-10-23 14:05 --------- d-----w C:\Program Files\Clone Terminator
2007-10-23 13:59 --------- d-----w C:\Program Files\MultiStage Recovery
2007-10-22 16:01 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 10:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\ZoomBrowser EX
2007-10-22 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-18 14:56 --------- d-----w C:\Program Files\Webteh
2007-10-18 14:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 13:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-18 13:28 --------- d-----w C:\Program Files\Google
2007-10-18 13:25 --------- d-----w C:\Program Files\Backup Expert
2007-10-18 13:25 --------- d-----w C:\Program Files\Advanced Registry Doctor
2007-10-18 11:18 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-18 10:58 --------- d-----w C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-10-18 10:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 10:53 --------- d-----w C:\Program Files\Common Files\PCSecureSystem
2007-10-18 07:28 --------- d-----w C:\Program Files\Windows Desktop Search
2007-10-18 07:28 --------- d-----w C:\Program Files\RoboTask
2007-10-17 13:00 15,544 ----a-w C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-17 12:31 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-17 12:31 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sunbelt Software
2007-10-17 11:52 --------- d-----w C:\Program Files\Smart Cleaner
2007-10-15 13:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-10-15 12:12 --------- d-----w C:\Program Files\InCode Solutions
2007-10-15 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2007-10-15 08:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\PCSecureSystem
2007-10-14 16:03 --------- d-----w C:\Program Files\R-Studio
2007-10-14 16:02 --------- d-----w C:\Program Files\PrivacyEraser Computing
2007-10-11 10:08 --------- d-----w C:\Program Files\ImageComparer
2007-10-11 10:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Obsidium
2007-10-10 15:18 --------- d-----w C:\Program Files\JitBit
2007-10-09 17:16 --------- d-----w C:\Program Files\DivX
2007-10-09 14:59 --------- d-----w C:\Program Files\Elecard
2007-10-09 14:59 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-09 10:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\Backup Expert
2007-10-09 10:14 --------- d-----w C:\Program Files\Java
2007-10-09 10:13 --------- d-----w C:\Program Files\Common Files\Java
2007-10-09 08:16 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-10-09 07:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-08 14:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\gtk-2.0
2007-10-01 17:51 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bildsoft
2007-10-01 17:48 --------- d-----w C:\Program Files\Bildsoft
2007-10-01 17:16 --------- d-----w C:\Program Files\XP SafeGuard
2007-09-28 13:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\DivX
2007-09-28 13:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2007-09-24 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\com.zipeg.3409831b-d15a-4c83-8948-a4c852121285
2007-09-24 14:26 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 14:26 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-05 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-09-05 10:30 --------- d-----w C:\Program Files\Softland
2007-09-03 15:48 --------- d-----w C:\Program Files\Ligature
2007-09-02 15:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07/27/2007 08:39 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [02/26/2007 01:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/24/2007 04:26 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/26/2005 06:14 PM]
"update_smartcleaner"="C:\Program Files\Smart Cleaner\UUpdate.exe" [10/10/2007 12:20 PM]
"SmartCleaner"="C:\Program Files\Smart Cleaner\SmartCleaner.exe" [10/11/2007 08:14 AM]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [08/27/2007 12:09 PM]
"CKeys"="C:\Program Files\ComfortKeys\CKeys.exe" [10/22/2007 08:01 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 02:00 PM]
"I&F Viewer toolbar"="C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" [10/27/2006 08:34 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 12:39 PM]
"RegDfrgSch"="C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe" [09/20/2007 01:38 PM]
"RoboTask"="C:\Program Files\RoboTask\RoboTask.exe" [09/25/2007 04:05 PM]
"Backup Expert"="C:\Program Files\Backup Expert\BackupExpert.exe" [09/20/2007 02:01 PM]
"FileEraser.exe"="C:\Program Files\File Eraser\FileEraser.exe" [07/12/2006 12:15 AM]
"PCSecureSystem"="C:\Program Files\PCSecureSystem\pgs.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/17/2007 12:25 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
גוזר מסך של OneNote 2007 ו- Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 05:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 18:08:24]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 02:39 PM 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R2 atchksrv;Intel® AMT System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe
R2 LMS;Intel® Active Management Technology LMS Service;C:\Program Files\Intel\AMT\LMS.exe
R3 akshasp;Aladdin HASP Key;C:\WINDOWS\system32\DRIVERS\akshasp.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 DVR3KUSB;DVR3KUSB.Sys Digital Voice Recorder 3K device driver;C:\WINDOWS\system32\Drivers\DVR3KUSB.sys
S3 slicedisk.sys;slicedisk.sys;\??\C:\WINDOWS\system32\slicedisk.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-08-12 10:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-07 00:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-11-01 11:34:45 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 13:35:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 11/01/2007 13:36:31 - machine was rebooted
C:\ComboFix2.txt ... 10/24/2007 03:28 PM
C:\ComboFix3.txt ... 10/23/2007 04:24 PM
.
--- E O F ---



---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:45, on 01/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\ComfortKeys\CKeys.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe
C:\Program Files\Backup Expert\BackupExpert.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ComfortKeys\CKeysCm.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?source=navclient-ff
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [update_smartcleaner] "C:\Program Files\Smart Cleaner\UUpdate.exe"
O4 - HKLM\..\Run: [SmartCleaner] C:\Program Files\Smart Cleaner\SmartCleaner.exe /SCHEDULED
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [CKeys] C:\Program Files\ComfortKeys\CKeys.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [RegDfrgSch] C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe /tray
O4 - HKCU\..\Run: [RoboTask] C:\Program Files\RoboTask\RoboTask.exe
O4 - HKCU\..\Run: [Backup Expert] "C:\Program Files\Backup Expert\BackupExpert.exe" /logon
O4 - HKCU\..\Run: [FileEraser.exe] "C:\Program Files\File Eraser\FileEraser.exe" /minimize
O4 - HKCU\..\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: גוזר מסך של OneNote 2007 ו- Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 9190 bytes


also I couldn't apply the STOP option in the

WinSock Extention Manager

thank yuou again,

waiting to hear from you,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users