Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager Disabled By Admin.


  • This topic is locked This topic is locked
8 replies to this topic

#1 Wraith2014

Wraith2014

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 06 April 2008 - 07:39 PM

I have one crazy virus. Task Manager has been disabled by admin, my background is stuck to an obvious spyware advertisement, and the computer is running very slow. I deleted the the entry DisableTaskMgr from the registry at HKEY_CURRENT_USER/Software/Microsoft/CurrentVersion/Policies/System to re-enable the taskmanager, however the entry immediatly reappears, even after disabling System restore. following is a log from hijackthis.

Deckard's System Scanner v20071014.68
Run by Wraith on 2008-04-06 20:29:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-07 00:31:03 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Wraith.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:30 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Documents and Settings\Wraith\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wraith.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?linkid=7715
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\fccaXQkK.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A1B524EA-91FC-4256-A76C-E43361247E5D} - C:\WINDOWS\system32\qoMghEVp.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{587F2E4E-0D72-4665-9163-C0B6FF5BE440}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: fccaXQkK - C:\WINDOWS\SYSTEM32\fccaXQkK.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 4621 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 swmidii - c:\windows\system32\drivers\swmidii.sys
R3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service:


-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 20:23:38 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-06 20:23:38 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-06 20:22:15 0 d-------- C:\Documents and Settings\Wraith\Application Data\Sunbelt Software
2008-04-06 20:20:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-06 20:19:47 0 d-------- C:\Program Files\Sunbelt Software
2008-04-06 19:19:17 16896 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-06 19:06:52 20224 --a------ C:\WINDOWS\2020search2.dll
2008-04-06 19:06:52 8704 --a------ C:\WINDOWS\2020search.dll
2008-04-06 19:06:52 25344 --a------ C:\WINDOWS\180ax.exe
2008-04-06 19:06:52 0 d-------- C:\Program Files\zango
2008-04-06 19:06:52 0 d-------- C:\Program Files\180searchassistant
2008-04-06 19:06:52 0 d-------- C:\Program Files\180search assistant
2008-04-06 19:06:51 0 d-------- C:\Program Files\180solutions
2008-04-06 16:15:48 0 d-------- C:\Documents and Settings\Wraith\.housecall6.6
2008-04-06 16:13:22 0 d-------- C:\WINDOWS\Sun
2008-04-06 16:13:21 0 d-------- C:\Documents and Settings\Wraith\Application Data\Sun
2008-04-06 16:06:24 0 d-------- C:\Program Files\seekmo
2008-04-06 15:54:51 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-06 15:54:51 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-06 15:54:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-06 15:54:51 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-06 15:54:51 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-06 15:54:51 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-06 15:54:51 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-06 15:54:51 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-06 15:54:51 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-06 15:54:51 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-06 15:54:51 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-06 15:54:51 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-06 15:54:51 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-06 15:54:51 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-06 15:37:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 15:37:34 28672 --a------ C:\WINDOWS\voiceip.dll
2008-04-06 15:37:34 26624 --a------ C:\WINDOWS\swin32.dll
2008-04-06 15:37:34 20480 --a------ C:\WINDOWS\stcloader.exe
2008-04-06 15:37:34 16896 --a------ C:\WINDOWS\cdsm32.dll
2008-04-06 15:37:34 0 d-------- C:\Program Files\stc
2008-04-06 15:37:33 22272 --a------ C:\WINDOWS\mssvr.exe
2008-04-06 15:37:33 17152 --a------ C:\WINDOWS\mspphe.dll
2008-04-06 15:37:33 22528 --a------ C:\WINDOWS\bokja.exe
2008-04-06 15:37:33 21248 --a------ C:\WINDOWS\bjam.dll
2008-04-06 15:37:32 21760 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-04-06 15:37:32 14080 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-04-06 15:37:31 11520 --a------ C:\WINDOWS\salm.exe
2008-04-06 15:37:30 18176 --a------ C:\WINDOWS\updatetc.exe
2008-04-06 15:37:30 15360 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-06 15:37:30 24320 --a------ C:\WINDOWS\saiemod.dll
2008-04-06 15:37:30 0 d-------- C:\WINDOWS\FLEOK
2008-04-06 15:37:29 11264 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-04-06 15:37:29 32000 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-06 15:37:29 13568 --a------ C:\WINDOWS\msapasrc.dll
2008-04-06 15:37:29 27392 --a------ C:\WINDOWS\msa64chk.dll
2008-04-06 15:37:28 29952 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-06 15:37:28 30976 --a------ C:\WINDOWS\shdocpl.dll
2008-04-06 15:37:28 22784 --a------ C:\WINDOWS\shdocpe.dll
2008-04-06 15:37:28 12800 --a------ C:\WINDOWS\ntnut.exe
2008-04-06 15:37:27 8192 --a------ C:\WINDOWS\winsb.dll
2008-04-06 15:37:27 25088 --a------ C:\WINDOWS\browserad.dll
2008-04-06 15:37:27 13312 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-06 15:37:27 12288 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-06 15:37:27 30720 --a------ C:\WINDOWS\avifile32.dll
2008-04-06 15:37:27 0 d-------- C:\Program Files\Sysmnt
2008-04-06 15:37:26 22272 --a------ C:\WINDOWS\autodisc32.dll
2008-04-06 15:37:26 25088 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-06 15:37:26 24064 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-06 15:37:26 28416 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-06 15:37:26 16384 --a------ C:\WINDOWS\athprxy32.dll
2008-04-06 15:37:25 12800 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-06 15:37:25 17152 --a------ C:\WINDOWS\asferror32.dll
2008-04-06 15:37:25 11776 --a------ C:\WINDOWS\apphelp32.dll
2008-04-06 15:29:35 0 d-------- C:\Documents and Settings\Wraith\Application Data\SoundSpectrum
2008-04-06 15:29:14 0 d-------- C:\Program Files\SoundSpectrum
2008-04-06 15:19:06 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-06 15:18:25 91561 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-06 15:18:00 24555 --ahs---- C:\WINDOWS\system32\pVEhgMoq.ini2
2008-04-06 15:17:25 6656 --a------ C:\WINDOWS\estrictions.dll
2008-04-06 15:17:22 268288 --a------ C:\WINDOWS\system32\qoMghEVp.dll
2008-04-06 15:15:59 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-04-06 15:13:20 39883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-04-06 15:13:18 86144 --a------ C:\WINDOWS\system32\drivers\swmidii.sys
2008-04-06 15:13:17 0 d-------- C:\WINDOWS\system32\wii
2008-04-06 15:13:17 0 d-------- C:\WINDOWS\system32\pinz1
2008-04-06 15:13:17 0 d-------- C:\WINDOWS\system32\IDE2
2008-04-06 15:13:17 0 d-------- C:\WINDOWS\system32\ExTmp
2008-04-06 15:12:44 29696 ---hs---- C:\Documents and Settings\Wraith\lsass.exe
2008-04-06 15:12:36 0 d-------- C:\WINDOWS\system32\bharebio18
2008-04-06 15:12:36 0 d-------- C:\Temp
2008-04-06 15:12:16 37376 --a------ C:\WINDOWS\system32\fccaXQkK.dll
2008-04-06 03:03:48 0 d-------- C:\Documents and Settings\Wraith\Application Data\LimeWire
2008-04-06 03:03:10 0 d-------- C:\Program Files\Java
2008-04-06 02:59:45 0 d-------- C:\Program Files\Common Files\Java
2008-04-06 02:59:20 0 d-------- C:\Program Files\LimeWire
2008-04-06 02:26:33 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-06 02:26:32 0 d-------- C:\Documents and Settings\Wraith\Application Data\Mozilla
2008-04-06 02:19:31 0 d-------- C:\Documents and Settings\Wraith\Application Data\Smith Micro
2008-04-06 02:18:11 77824 --a------ C:\WINDOWS\system32\ptdmwmcp.dll <Not Verified; DEVGURU; Application Interface DLL>
2008-04-06 02:18:11 0 d-------- C:\Program Files\PANTECH
2008-04-06 02:18:07 0 d-------- C:\Program Files\Alltel
2008-04-04 22:39:48 6656 --a------ C:\WINDOWS\system32\000060.exe
2008-04-03 23:37:55 55652 --a------ C:\WINDOWS\War3Unin.dat
2008-04-03 23:37:54 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-03 23:37:54 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-04-03 23:35:11 0 d-------- C:\Program Files\Warcraft III
2008-04-03 13:36:41 0 d-------- C:\Program Files\Dreamcatcher
2008-04-03 01:23:11 0 d-------- C:\Program Files\Firaxis Games
2008-04-03 01:11:05 0 d-------- C:\Documents and Settings\Wraith\Application Data\My Games
2008-04-02 16:04:55 0 d-------- C:\Program Files\The Creative Assembly
2008-04-01 23:35:47 0 d-------- C:\Program Files\Battlestations Midway
2008-03-11 11:18:06 58880 --a------ C:\WINDOWS\system32\atgban.dll
2008-03-09 02:53:25 0 d-------- C:\Documents and Settings\Wraith\Application Data\WinRAR
2008-03-09 02:47:29 40960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-03-09 02:37:54 0 d-------- C:\Program Files\THQ
2008-03-06 20:23:58 0 d-------- C:\Documents and Settings\Wraith\Application Data\DivX
2008-03-06 18:33:58 0 d-------- C:\Program Files\DivX
2008-03-06 02:24:44 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-04-06 20:03:53 0 d-------- C:\Program Files\Trend Micro
2008-04-06 15:25:59 207 --a------ C:\Documents and Settings\Wraith\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2008-04-06 02:59:45 0 d-------- C:\Program Files\Common Files
2008-04-06 02:48:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-01 01:31:14 0 d-------- C:\Program Files\Microsoft Games
2008-02-26 03:37:23 0 dr-h----- C:\Documents and Settings\Wraith\Application Data\SecuROM
2008-02-23 15:46:46 281 --a------ C:\WINDOWS\EReg072.dat
2008-02-23 15:45:11 0 d-------- C:\Program Files\Maxis
2008-02-23 14:22:00 0 d-------- C:\Program Files\Bethesda Softworks
2008-02-21 20:23:53 0 d-------- C:\Documents and Settings\Wraith\Application Data\Apple Computer
2008-02-21 20:23:35 0 d-------- C:\Program Files\QuickTime
2008-02-21 20:23:02 0 d-------- C:\Program Files\iTunes
2008-02-21 20:22:58 0 d-------- C:\Program Files\iPod
2008-02-20 17:01:34 0 d-------- C:\Program Files\UBISOFT
2008-02-15 11:36:40 0 d-------- C:\Program Files\Atari
2008-02-13 22:35:29 0 d-------- C:\Program Files\Black Isle
2008-02-09 11:33:37 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B435F6-B6CE-4F24-A568-944B27ED919C}]
03/11/2008 11:18 AM 58880 --a------ C:\WINDOWS\system32\atgban.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}]
04/06/2008 03:12 PM 37376 --a------ C:\WINDOWS\system32\fccaXQkK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1B524EA-91FC-4256-A76C-E43361247E5D}]
04/06/2008 03:18 PM 268288 --a------ C:\WINDOWS\system32\qoMghEVp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [12/21/2007 03:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8E1BFC0E-8AD2-424D-AC8A-06038481516E}"= C:\WINDOWS\system32\fccaXQkK.dll [04/06/2008 03:12 PM 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaXQkK]
fccaXQkK.dll 04/06/2008 03:12 PM 37376 C:\WINDOWS\system32\fccaXQkK.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMghEVp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^Bat - Auto Update.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Wraith\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CE-E5-5E-EC-DW}]
C:\WINDOWS\system32\pinz1\cegmgr76.exe DWram


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e773cc2-b3ff-11dc-ab94-806d6172696f}]
AutoRun\command- D:\setup.exe

*Newly Created Service* - SBAPIFS
*Newly Created Service* - SBCSSVC
*Newly Created Service* - SBHR
*Newly Created Service* - TMCOMM



-- End of Deckard's System Scanner: finished at 2008-04-06 20:36:50 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6400 @ 2.13GHz
CPU 1: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2045.85 MiB / 1484.85 MiB
Pagefile Memory (total/avail): 5984.06 MiB / 5310.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.78 MiB

C: is Fixed (NTFS) - 232.82 GiB total, 152.64 GiB free.
D: is CDROM (CDFS)
E: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP2504C - 232.83 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.82 GiB - C:

\\.\PHYSICALDRIVE1 - PANTECH Mass Storage USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: PC-cillin Internet Security - Firewall v14 (Trend Micro, Inc.)
AV: PC-cillin Internet Security - Virus Protection v14.60.1180 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"="C:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe:*:Enabled:Stronghold 2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"="C:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe:*:Enabled:Ghost Recon Advanced WarfighterŽ 2"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wraith\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHRIS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Wraith
LOGONSERVER=\\CHRIS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Wraith\LOCALS~1\Temp
TMP=C:\DOCUME~1\Wraith\LOCALS~1\Temp
USERDOMAIN=CHRIS
USERNAME=Wraith
USERPROFILE=C:\Documents and Settings\Wraith
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Wraith (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> MsiExec /X{27DC856A-0916-4988-8198-8714DDD3183D}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
AGEIA PhysX v7.05.17 --> MsiExec.exe /X{27DC856A-0916-4988-8198-8714DDD3183D}
Baldur's Gate & Tales of the Sword Coast --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Black Isle\Baldur's Gate\Uninst.isu"
Baldur's Gate™ II - Shadows of Amn™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DAE4336-2B71-11D4-9A6C-006067325E47}\setup.exe"
Barbarian Invasion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}\setup.exe" -l0x9
Battlestations: Midway --> MsiExec.exe /I{6BC0CDD6-E0C2-434D-9365-23E79E42DA95}
BloodRayne --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Terminal Reality\BloodRayne\Uninst.isu"
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dungeon Siege Legends of Aranna --> "C:\Program Files\Microsoft Games\Dungeon Siege\UNINSTAL.EXE" /runtemp /addremove
Enhancement Browser Tools Targetedbanner --> C:\WINDOWS\system32\targetedbanner-uninst.exe
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
G-Force --> C:\Program Files\SoundSpectrum\G-Force\Uninstall.exe
Heroes of Might and Magic V --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28101984-0BA6-40FD-9ABE-72F62F80C06C}\setup.exe" -l0x9
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Icewind Dale II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{588C135F-0B15-4A02-8F2D-04697BE2904E}\setup.exe" -l0x9
Intel® PRO Network Connections Drivers --> Prounstl.exe
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Neverwinter Nights 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PANTECH PC USB Modem Software --> C:\Program Files\PANTECH\PANTECH USB Modem\PTDMUninstall.exe
QuickLink Mobile --> C:\PROGRA~1\Alltel\QUICKL~1\UNWISE.EXE C:\PROGRA~1\Alltel\QUICKL~1\INSTALL.LOG
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Rome - Total War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51D386C4-0227-46A9-AC45-61F0A50E7AFF}\setup.exe" -l0x9 -removeonly
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0006] --> "C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\unins000.exe"
Sierra On-Line Games (Remove only) --> C:\SIERRA\SETUP.EXE /U
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SimCity 3000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000\Uninst.isu"
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Star Trek Legacy --> MsiExec.exe /I{287A4E96-AC57-4A19-9B51-C5EED2EAB382}
Stronghold 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D2C649-CBA8-44EE-B730-12584667D487}\setup.exe" -l0x9 -removeonly
Titan Quest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}\setup.exe" -l0x9 -removeonly
Titan Quest Immortal Throne --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}\setup.exe" -l0x9 -removeonly
Tom Clancy's Ghost Recon Advanced WarfighterŽ 2 --> "C:\Program Files\InstallShield Installation Information\{F78AC3C0-578C-49AB-BD4E-3107A6036A13}\Setup.exe" -runfromtemp -l0x0009 -removeonly
Trend Micro PC-cillin Internet Security 14 --> C:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 14 --> MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type705 / Error
Event Submitted/Written: 04/03/2008 01:19:04 AM
Event ID/Source: 0 /
Event Description:
7

Event Record #/Type704 / Error
Event Submitted/Written: 04/03/2008 01:19:04 AM
Event ID/Source: 0 /
Event Description:
6

Event Record #/Type703 / Error
Event Submitted/Written: 04/03/2008 01:19:04 AM
Event ID/Source: 0 /
Event Description:
3

Event Record #/Type702 / Error
Event Submitted/Written: 04/03/2008 01:17:22 AM
Event ID/Source: 0 /
Event Description:
7

Event Record #/Type701 / Error
Event Submitted/Written: 04/03/2008 01:17:22 AM
Event ID/Source: 0 /
Event Description:
6



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1808 / Error
Event Submitted/Written: 04/06/2008 07:14:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1807 / Error
Event Submitted/Written: 04/06/2008 07:14:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1786 / Error
Event Submitted/Written: 04/06/2008 07:03:59 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1785 / Error
Event Submitted/Written: 04/06/2008 07:00:27 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
RasAcd
Rdbss
Tcpip
tmtdi

Event Record #/Type1784 / Error
Event Submitted/Written: 04/06/2008 07:00:27 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-04-06 20:36:50 ------------

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:30 PM

Posted 06 April 2008 - 07:47 PM

Hello Wraith2014

Welcome to BleepingComputer :thumbsup:
========================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Edit:Code

Edited by kahdah, 06 April 2008 - 07:47 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Wraith2014

Wraith2014
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 06 April 2008 - 08:12 PM

combofix log followed by hjt:

ComboFix 08-04-06.1 - Wraith 2008-04-06 20:52:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1383 [GMT -4:00]
Running from: C:\Documents and Settings\Wraith\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Wraith\lsass.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\atgban.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\swmidii.sys
C:\WINDOWS\system32\fccaXQkK.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pVEhgMoq.ini
C:\WINDOWS\system32\pVEhgMoq.ini2
C:\WINDOWS\system32\qoMghEVp.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_swmidii
-------\Legacy_swmidii
-------\swmidii


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 21:03 . 2008-04-06 21:06 <DIR> d-------- C:\Program Files\seekmo
2008-04-06 20:23 . 2008-04-06 20:23 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-06 20:23 . 2008-04-06 20:23 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-06 20:22 . 2008-04-06 20:22 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\Sunbelt Software
2008-04-06 20:22 . 2008-04-06 20:22 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-06 20:20 . 2008-04-06 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-06 20:19 . 2008-04-06 20:19 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-06 20:01 . 2008-04-06 19:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-06 19:19 . 2008-04-06 19:19 16,896 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-06 19:06 . 2008-04-06 19:06 <DIR> d-------- C:\Program Files\zango
2008-04-06 19:06 . 2008-04-06 19:06 <DIR> d-------- C:\Program Files\180solutions
2008-04-06 19:06 . 2008-04-06 19:06 <DIR> d-------- C:\Program Files\180searchassistant
2008-04-06 19:06 . 2008-04-06 19:06 <DIR> d-------- C:\Program Files\180search assistant
2008-04-06 19:06 . 2008-04-06 19:06 10,240 --a------ C:\WINDOWS\123messenger.per
2008-04-06 16:15 . 2008-04-06 20:01 <DIR> d-------- C:\Documents and Settings\Wraith\.housecall6.6
2008-04-06 16:13 . 2008-04-06 16:13 <DIR> d-------- C:\WINDOWS\Sun
2008-04-06 15:37 . 2008-04-06 15:37 <DIR> d-------- C:\Program Files\Sysmnt
2008-04-06 15:37 . 2008-04-06 15:37 <DIR> d-------- C:\Program Files\stc
2008-04-06 15:37 . 2008-04-06 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 15:29 . 2008-04-06 15:29 <DIR> d-------- C:\Program Files\SoundSpectrum
2008-04-06 15:29 . 2008-04-06 15:29 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\SoundSpectrum
2008-04-06 15:18 . 2008-04-06 15:19 91,561 --a------ C:\WINDOWS\system32\wmsdkns.exe
2008-04-06 15:17 . 2008-04-06 15:17 6,656 --a------ C:\WINDOWS\estrictions.dll
2008-04-06 15:15 . 2008-04-06 15:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-06 15:13 . 2008-04-06 15:13 <DIR> d-------- C:\WINDOWS\system32\wii
2008-04-06 15:13 . 2008-04-06 15:13 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-06 15:13 . 2008-04-06 15:13 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-06 15:13 . 2008-04-06 15:13 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-06 15:13 . 2008-04-06 15:13 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-04-06 15:12 . 2008-04-06 15:12 <DIR> d-------- C:\WINDOWS\system32\bharebio18
2008-04-06 15:12 . 2008-04-06 15:13 <DIR> d-------- C:\Temp\wdlw14
2008-04-06 15:12 . 2008-04-06 20:54 <DIR> d-------- C:\Temp
2008-04-06 11:57 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-06 11:57 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-04-06 03:03 . 2008-04-06 03:03 <DIR> d-------- C:\Program Files\Java
2008-04-06 03:03 . 2008-04-06 15:39 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\LimeWire
2008-04-06 03:03 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-06 02:59 . 2008-04-06 03:03 <DIR> d-------- C:\Program Files\LimeWire
2008-04-06 02:59 . 2008-04-06 02:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-06 02:26 . 2008-04-06 02:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-06 02:19 . 2008-04-06 02:19 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\Smith Micro
2008-04-06 02:18 . 2008-04-06 02:18 <DIR> d-------- C:\Program Files\PANTECH
2008-04-06 02:18 . 2008-04-06 02:18 <DIR> d-------- C:\Program Files\Alltel
2008-04-06 02:18 . 2006-11-01 18:21 319,456 --a------ C:\WINDOWS\system32\DIFxAPI.dll
2008-04-06 02:18 . 2007-08-23 01:13 77,824 --a------ C:\WINDOWS\system32\ptdmwmcp.dll
2008-04-06 02:18 . 2007-08-17 21:56 59,520 --a------ C:\WINDOWS\system32\drivers\PTDMWWAN.sys
2008-04-06 02:18 . 2007-08-17 21:56 41,856 --a------ C:\WINDOWS\system32\drivers\PTDMMdm.sys
2008-04-06 02:18 . 2007-08-17 21:56 39,936 --a------ C:\WINDOWS\system32\drivers\PTDMVsp.sys
2008-04-06 02:18 . 2007-08-17 21:56 29,952 --a------ C:\WINDOWS\system32\drivers\PTDMBus.sys
2008-04-03 23:37 . 2008-04-03 23:42 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-04-03 23:37 . 2008-04-03 23:42 55,652 --a------ C:\WINDOWS\War3Unin.dat
2008-04-03 23:37 . 2008-04-03 23:42 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-03 23:35 . 2008-04-04 09:56 <DIR> d-------- C:\Program Files\Warcraft III
2008-04-03 13:36 . 2008-04-03 13:36 <DIR> d-------- C:\Program Files\Dreamcatcher
2008-04-03 01:23 . 2008-04-03 01:23 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-03 01:11 . 2008-04-03 01:11 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\My Games
2008-04-02 16:04 . 2008-04-02 16:04 <DIR> d-------- C:\Program Files\The Creative Assembly
2008-04-01 23:50 . 2006-09-28 17:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-04-01 23:50 . 2006-09-28 17:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-04-01 23:50 . 2006-09-28 17:04 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-04-01 23:50 . 2006-11-15 11:38 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-04-01 23:35 . 2008-04-01 23:42 <DIR> d-------- C:\Program Files\Battlestations Midway
2008-03-09 02:47 . 2007-01-03 15:16 40,960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-03-09 02:37 . 2008-04-06 11:46 <DIR> d-------- C:\Program Files\THQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 01:03 31,232 ----a-w C:\WINDOWS\mssvr.exe
2008-04-07 01:03 29,440 ----a-w C:\WINDOWS\updatetc.exe
2008-04-07 01:03 22,528 ----a-w C:\WINDOWS\salm.exe
2008-04-07 01:03 18,944 ----a-w C:\WINDOWS\voiceip.dll
2008-04-07 01:03 17,664 ----a-w C:\WINDOWS\stcloader.exe
2008-04-07 01:03 15,872 ----a-w C:\WINDOWS\swin32.dll
2008-04-07 01:03 12,544 ----a-w C:\WINDOWS\saiemod.dll
2008-04-07 01:01 8,960 ----a-w C:\WINDOWS\bokja.exe
2008-04-07 01:01 31,744 ----a-w C:\WINDOWS\180ax.exe
2008-04-07 01:01 30,976 ----a-w C:\WINDOWS\2020search.dll
2008-04-07 01:01 24,320 ----a-w C:\WINDOWS\cdsm32.dll
2008-04-07 01:01 23,040 ----a-w C:\WINDOWS\bjam.dll
2008-04-07 01:01 22,784 ----a-w C:\WINDOWS\mspphe.dll
2008-04-07 01:01 20,480 ----a-w C:\WINDOWS\2020search2.dll
2008-04-07 00:03 --------- d-----w C:\Program Files\Trend Micro
2008-04-06 06:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 20:16 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-03-07 00:23 --------- d-----w C:\Documents and Settings\Wraith\Application Data\DivX
2008-03-06 22:34 --------- d-----w C:\Program Files\DivX
2008-03-01 05:31 --------- d-----w C:\Program Files\Microsoft Games
2008-02-26 07:37 --------- d--h--r C:\Documents and Settings\Wraith\Application Data\SecuROM
2008-02-23 19:45 --------- d-----w C:\Program Files\Maxis
2008-02-23 18:22 --------- d-----w C:\Program Files\Bethesda Softworks
2008-02-22 00:23 --------- d-----w C:\Program Files\QuickTime
2008-02-22 00:23 --------- d-----w C:\Program Files\iTunes
2008-02-22 00:23 --------- d-----w C:\Documents and Settings\Wraith\Application Data\Apple Computer
2008-02-22 00:22 --------- d-----w C:\Program Files\iPod
2008-02-22 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 21:01 --------- d-----w C:\Program Files\UBISOFT
2008-02-15 15:36 --------- d-----w C:\Program Files\Atari
2008-02-14 02:35 --------- d-----w C:\Program Files\Black Isle
2008-02-09 15:33 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-08 15:54 7630848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^Bat - Auto Update.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 04:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-11-02 21:52 461544 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Wraith\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 02:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-08 15:54 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-08-04 17:15 321040 C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2006-09-18 17:34 1807960 C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
C:\WINDOWS\system32\atgban.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-21 20:23 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1000106.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-20 17:00 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CE-E5-5E-EC-DW}]
--a------ 2008-02-14 10:42 49152 C:\WINDOWS\system32\pinz1\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-06 20:22]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;C:\WINDOWS\system32\DRIVERS\PTDMBus.sys [2007-08-17 21:56]
R3 PTDMMdm;PANTECH USB Modem Drivers ;C:\WINDOWS\system32\DRIVERS\PTDMMdm.sys [2007-08-17 21:56]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;C:\WINDOWS\system32\DRIVERS\PTDMVsp.sys [2007-08-17 21:56]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;C:\WINDOWS\system32\DRIVERS\PTDMWWAN.sys [2007-08-17 21:56]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-06 21:09:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 01:08:34
Pre-Run: 163,842,789,376 bytes free
Post-Run: 163,822,346,240 bytes free





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:51 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?linkid=7715
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 3082 bytes

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:30 PM

Posted 06 April 2008 - 08:14 PM

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Wraith2014

Wraith2014
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 06 April 2008 - 08:29 PM

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:30 PM

Posted 06 April 2008 - 08:30 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::


File::
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\123messenger.per
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\estrictions.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\2020search2.dll
C:\Documents and Settings\Wraith\lsass.exe
C:\WINDOWS\system32\atgban.dll
C:\WINDOWS\mrofinu1000106.exe
D:\Start.exe
Folder::
C:\Program Files\seekmo
C:\Program Files\zango
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\Program Files\webHancer
Dirlook::
C:\WINDOWS\system32\wii
C:\WINDOWS\system32\bharebio18
C:\Temp\wdlw14
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Wraith2014

Wraith2014
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 06 April 2008 - 08:41 PM

ComboFix 08-04-06.1 - Wraith 2008-04-06 21:33:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1677 [GMT -4:00]
Running from: C:\Documents and Settings\Wraith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wraith\My Documents\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Wraith\lsass.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\estrictions.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\atgban.dll
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
D:\Start.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\estrictions.dll
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\IDE2\mdllcom2.exe
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\pinz1\cegmgr76.exe
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wmsdkns.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 21:26 . 2008-04-06 21:26 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-06 20:29 . 2008-04-06 20:29 <DIR> d-------- C:\Deckard
2008-04-06 20:23 . 2008-04-06 20:23 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-06 20:23 . 2008-04-06 20:23 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-06 20:22 . 2008-04-06 20:22 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\Sunbelt Software
2008-04-06 20:22 . 2008-04-06 20:22 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-06 20:20 . 2008-04-06 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-06 20:19 . 2008-04-06 20:19 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-06 20:01 . 2008-04-06 19:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-06 16:15 . 2008-04-06 20:01 <DIR> d-------- C:\Documents and Settings\Wraith\.housecall6.6
2008-04-06 16:13 . 2008-04-06 16:13 <DIR> d-------- C:\WINDOWS\Sun
2008-04-06 15:29 . 2008-04-06 15:29 <DIR> d-------- C:\Program Files\SoundSpectrum
2008-04-06 15:29 . 2008-04-06 15:29 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\SoundSpectrum
2008-04-06 15:13 . 2008-04-06 15:13 <DIR> d-------- C:\WINDOWS\system32\wii
2008-04-06 15:13 . 2008-04-06 15:13 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-06 15:12 . 2008-04-06 15:12 <DIR> d-------- C:\WINDOWS\system32\bharebio18
2008-04-06 15:12 . 2008-04-06 15:13 <DIR> d-------- C:\Temp\wdlw14
2008-04-06 15:12 . 2008-04-06 20:54 <DIR> d-------- C:\Temp
2008-04-06 11:57 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-06 11:57 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-04-06 03:03 . 2008-04-06 03:03 <DIR> d-------- C:\Program Files\Java
2008-04-06 03:03 . 2008-04-06 15:39 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\LimeWire
2008-04-06 03:03 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-06 02:59 . 2008-04-06 03:03 <DIR> d-------- C:\Program Files\LimeWire
2008-04-06 02:59 . 2008-04-06 02:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-06 02:26 . 2008-04-06 02:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-06 02:19 . 2008-04-06 02:19 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\Smith Micro
2008-04-06 02:18 . 2008-04-06 02:18 <DIR> d-------- C:\Program Files\PANTECH
2008-04-06 02:18 . 2008-04-06 02:18 <DIR> d-------- C:\Program Files\Alltel
2008-04-06 02:18 . 2006-11-01 18:21 319,456 --a------ C:\WINDOWS\system32\DIFxAPI.dll
2008-04-06 02:18 . 2007-08-23 01:13 77,824 --a------ C:\WINDOWS\system32\ptdmwmcp.dll
2008-04-06 02:18 . 2007-08-17 21:56 59,520 --a------ C:\WINDOWS\system32\drivers\PTDMWWAN.sys
2008-04-06 02:18 . 2007-08-17 21:56 41,856 --a------ C:\WINDOWS\system32\drivers\PTDMMdm.sys
2008-04-06 02:18 . 2007-08-17 21:56 39,936 --a------ C:\WINDOWS\system32\drivers\PTDMVsp.sys
2008-04-06 02:18 . 2007-08-17 21:56 29,952 --a------ C:\WINDOWS\system32\drivers\PTDMBus.sys
2008-04-03 23:37 . 2008-04-03 23:42 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-04-03 23:37 . 2008-04-03 23:42 55,652 --a------ C:\WINDOWS\War3Unin.dat
2008-04-03 23:37 . 2008-04-03 23:42 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-03 23:35 . 2008-04-04 09:56 <DIR> d-------- C:\Program Files\Warcraft III
2008-04-03 13:36 . 2008-04-03 13:36 <DIR> d-------- C:\Program Files\Dreamcatcher
2008-04-03 01:23 . 2008-04-03 01:23 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-03 01:11 . 2008-04-03 01:11 <DIR> d-------- C:\Documents and Settings\Wraith\Application Data\My Games
2008-04-02 16:04 . 2008-04-02 16:04 <DIR> d-------- C:\Program Files\The Creative Assembly
2008-04-01 23:50 . 2006-09-28 17:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-04-01 23:50 . 2006-09-28 17:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-04-01 23:50 . 2006-09-28 17:04 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-04-01 23:50 . 2006-11-15 11:38 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-04-01 23:35 . 2008-04-01 23:42 <DIR> d-------- C:\Program Files\Battlestations Midway
2008-03-09 02:47 . 2007-01-03 15:16 40,960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-03-09 02:37 . 2008-04-06 11:46 <DIR> d-------- C:\Program Files\THQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 00:03 --------- d-----w C:\Program Files\Trend Micro
2008-04-06 06:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 20:16 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-03-07 00:23 --------- d-----w C:\Documents and Settings\Wraith\Application Data\DivX
2008-03-06 22:34 --------- d-----w C:\Program Files\DivX
2008-03-01 05:31 --------- d-----w C:\Program Files\Microsoft Games
2008-02-26 07:37 --------- d--h--r C:\Documents and Settings\Wraith\Application Data\SecuROM
2008-02-23 19:45 --------- d-----w C:\Program Files\Maxis
2008-02-23 18:22 --------- d-----w C:\Program Files\Bethesda Softworks
2008-02-22 00:23 --------- d-----w C:\Program Files\QuickTime
2008-02-22 00:23 --------- d-----w C:\Program Files\iTunes
2008-02-22 00:23 --------- d-----w C:\Documents and Settings\Wraith\Application Data\Apple Computer
2008-02-22 00:22 --------- d-----w C:\Program Files\iPod
2008-02-22 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 21:01 --------- d-----w C:\Program Files\UBISOFT
2008-02-15 15:36 --------- d-----w C:\Program Files\Atari
2008-02-14 02:35 --------- d-----w C:\Program Files\Black Isle
2008-02-09 15:33 --------- d-----w C:\Program Files\Common Files\InstallShield
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\wdlw14 ----

2008-04-06 15:13 1858 --a------ C:\Temp\wdlw14\maxN1bo.log

---- Directory of C:\WINDOWS\system32\bharebio18 ----

2008-04-02 08:43 32768 --a------ C:\WINDOWS\system32\bharebio18\bharebio182328.exe

---- Directory of C:\WINDOWS\system32\wii ----

2008-03-12 20:22 139457 --a------ C:\WINDOWS\system32\wii\HTgn1dll.exe


((((((((((((((((((((((((((((( snapshot@2008-04-06_21.08.25.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 11:00:00 66,560 ----a-w C:\WINDOWS\LastGood.Tmp\system32\cdm.dll
+ 2004-08-10 11:00:00 430,592 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wuapi.dll
+ 2004-08-10 11:00:00 111,104 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wuauclt.exe
+ 2004-08-10 11:00:00 1,134,592 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wuaueng.dll
+ 2004-08-10 11:00:00 112,640 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wucltui.dll
+ 2004-08-10 11:00:00 36,864 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wups.dll
+ 2004-08-10 11:00:00 120,320 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wuweb.dll
- 2004-08-10 11:00:00 66,560 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2004-08-10 11:00:00 66,560 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-30 23:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2004-08-10 11:00:00 430,592 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-07-30 23:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2004-08-10 11:00:00 111,104 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-30 23:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2004-08-10 11:00:00 1,134,592 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-30 23:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2004-08-10 11:00:00 112,640 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-07-30 23:19:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2004-08-10 11:00:00 120,320 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-30 23:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
- 2004-08-10 11:00:00 430,592 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2004-08-10 11:00:00 111,104 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2004-08-10 11:00:00 1,134,592 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2004-08-10 11:00:00 112,640 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2004-08-10 11:00:00 36,864 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2004-08-10 11:00:00 120,320 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-08 15:54 7630848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^Bat - Auto Update.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wraith^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Wraith\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 04:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-11-02 21:52 461544 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 02:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-08 15:54 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-08-04 17:15 321040 C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2006-09-18 17:34 1807960 C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-21 20:23 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-20 17:00 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CE-E5-5E-EC-DW}]
C:\WINDOWS\system32\pinz1\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-06 20:22]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;C:\WINDOWS\system32\DRIVERS\PTDMBus.sys [2007-08-17 21:56]
R3 PTDMMdm;PANTECH USB Modem Drivers ;C:\WINDOWS\system32\DRIVERS\PTDMMdm.sys [2007-08-17 21:56]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;C:\WINDOWS\system32\DRIVERS\PTDMVsp.sys [2007-08-17 21:56]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;C:\WINDOWS\system32\DRIVERS\PTDMWWAN.sys [2007-08-17 21:56]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 21:36:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
.
**************************************************************************
.
Completion time: 2008-04-06 21:38:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 01:38:53
ComboFix2.txt 2008-04-07 01:09:25
Pre-Run: 163,754,070,016 bytes free
Post-Run: 163,760,930,816 bytes free





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:09 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?linkid=7715
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 3059 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:30 PM

Posted 08 April 2008 - 04:06 AM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\bharebio18 
    C:\WINDOWS\system32\wii 
    C:\WINDOWS\Fonts\svchost.exe
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CE-E5-5E-EC-DW}
    C:\WINDOWS\system32\pinz1
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=============================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
===================================================
Also please post a new Hijackths log as well please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:30 PM

Posted 07 May 2008 - 10:14 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users