Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Sapmi_vcstats.exe Infection


  • Please log in to reply
2 replies to this topic

#1 pattitude

pattitude

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 07 July 2008 - 07:07 PM

After downloading a program, said program wanted to initiate another program called sapmi_vcstats.exe (a program I did NOT knowingly download). My firewall (Comodo) picked it up and I denied the request. I did some research and thought it prudent to use combofix given the nature of the malware.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-07 19:51:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2008-07-07 23:51:14 UTC - RP268 - Deckard's System Scanner Restore Point
87: 2008-07-07 20:54:19 UTC - RP267 - ComboFix created restore point
86: 2008-07-07 18:41:22 UTC - RP266 - Removed TubeHunter Ultra
85: 2008-07-07 12:39:54 UTC - RP265 - System Checkpoint
84: 2008-07-06 12:38:50 UTC - RP264 - System Checkpoint


-- First Restore Point --
1: 2008-04-09 06:20:59 UTC - RP181 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 15.01 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:49 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sttray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Documents and Settings\Administrator\Desktop\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 5560 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 PciCon - d:\pcicon.sys (file missing)
S3 SetupSys (Conexant Setup API) - c:\windows\system32\drivers\setupsys.sys <Not Verified; Conexant; Diagnostic Interface>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F40&SUBSYS_200014F1&REV_00\4&1E46F438&0&08F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F40&SUBSYS_200014F1&REV_00\4&1E46F438&0&08F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-25 10:56:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 19:52:31 0 d-------- C:\Program Files\Trend Micro
2008-07-07 16:55:06 0 d-------- C:\cmdcons
2008-07-07 16:52:19 68096 --a------ C:\WINDOWS\zip.exe
2008-07-07 16:52:19 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-07 16:52:19 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-07 16:52:19 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-07 16:52:19 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-07 16:52:19 98816 --a------ C:\WINDOWS\sed.exe
2008-07-07 16:52:19 80412 --a------ C:\WINDOWS\grep.exe
2008-07-07 16:52:19 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-07 15:49:19 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-07-07 14:04:33 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-06 21:46:43 0 d-------- C:\Program Files\Bulk Rename Utility
2008-07-06 21:46:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-07-04 19:35:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mp3tag
2008-07-04 19:35:24 0 d-------- C:\Program Files\Mp3tag
2008-07-04 19:19:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Hulubulu


-- Find3M Report ---------------------------------------------------------------

2008-07-07 16:44:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-06 14:46:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-07-05 14:20:14 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-03 21:51:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-27 00:49:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-05-24 11:19:34 0 d-------- C:\Program Files\AVG
2008-05-13 20:02:38 0 d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2008-05-11 22:32:48 0 d-------- C:\Program Files\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/03/2008 08:28 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/03/2008 08:28 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [05/06/2007 08:10 PM C:\WINDOWS\sttray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/25/2006 02:31 AM]
"nwiz"="nwiz.exe" [07/25/2006 02:32 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/25/2006 02:32 AM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [12/12/2007 02:06 PM]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [05/11/2007 03:08 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/03/2008 08:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/27/2007 08:03 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/31/2002 08:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\guard32.dll,avgrsstx.dll

*Newly Created Service* - ASPI32
*Newly Created Service* - CATCHME



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8796 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-07 19:54:45 ------------

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® D CPU 3.33GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 2557.98 MiB / 1803.95 MiB
Pagefile Memory (total/avail): 3156.94 MiB / 2618.26 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.33 MiB

C: is Fixed (NTFS) - 111.78 GiB total, 15.02 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3120813AS - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.78 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PMPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\PMPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0605
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=PMPC
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Arcade@Home v0.37b --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Arcade_at_Home\ST6UNST.LOG"
ArtMoney SE v7.26 --> "C:\Program Files\ArtMoney\Uninstall\unins000.exe"
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bulk Rename Utility 2, 7, 0, 3 --> C:\DOCUME~1\ALLUSE~1\APPLIC~1\TARMAI~1\{991B1~1\Setup.exe /remove /q0
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
City of Villains/City of Heroes (remove only) --> "C:\Program Files\City of Heroes\uninstall.exe"
COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Audio Extractor 4.2.1 --> "C:\Program Files\DVD Audio Extractor\unins000.exe"
DVDFab Platinum 4.0.1.2 --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
E-Tools --> C:\Program Files\Wizards of the Coast\eTools\uninstall.exe
EULAlyzer v1.2 --> "C:\Program Files\EULAlyzer\unins000.exe"
FirstClass® Client --> C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe -runfromtemp -l0x0009 -uninst -removeonly
Foxit PDF Editor --> C:\Program Files\Foxit Software\PDF Editor\uninstall.exe
Hero Builder Setup --> MsiExec.exe /I{1CE181E0-DB37-43C8-97B1-AA50356E7ACE}
Heroes of Might & Magic V: Hammers of Fate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66FF4C48-0083-4E60-8556-B883AB200091}\setup.exe" -l0x9
Heroes of Might and Magic V - Tribes of the East --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66FF4C48-0083-4E60-8556-B883AB200092}\setup.exe" -l0x9
Heroes of Might and Magic V Collector Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDB68A90-340C-42B9-B42B-D2CBED1B91DC}\setup.exe" -l0x9
Intel® PRO Network Connections Drivers --> Prounstl.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
K-Lite Mega Codec Pack 3.5.7 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech Gaming Software 5.01 --> MsiExec.exe /X{C5961323-A2E5-4FAB-B92D-DBF6C282F0F5}
Logitech MouseWare 9.79 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Magic ISO Maker v5.3 (build 0221) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Mp3tag v2.41 --> C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
Nero 7 Premium --> MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
O&O Defrag Professional Edition --> MsiExec.exe /I{53480330-E1D1-41CA-B8F8-7F78644F7F50}
PCGen5121 --> C:\Program Files\PCGen\uninstall-PCGen5121.exe
Pcsx2 0.9.4 Watermoose --> "C:\Program Files\Pcsx2_0.9.4\unins000.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime Alternative 2.1.1 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
RamBooster --> C:\Program Files\RamBooster 2.0\Uninst.exe /pid:{ADE3CACC-EC31-480C-83A0-587EE60CE8DF} /asd
RomCenter 3.00 beta 1 --> "C:\Program Files\Romcenter\uninst\unins000.exe"
Sid Meier's Civilization 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Sid Meier's Civilization 4 - Warlords --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\setup.exe" -l0x9 -removeonly
Soldier of Fortune II - Double Helix --> C:\PROGRA~1\SOLDIE~1\Uninstall\Unwise.exe /u C:\PROGRA~1\SOLDIE~1\Uninstall\install.log
Songbird 0.4 (20071226) --> "C:\Program Files\Songbird\Songbird-Uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Roleplaying assistant V7.13a --> MsiExec.exe /X{DA5BE26C-8295-4F7F-BBA8-475EF9231289}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinHTTrack Website Copier 3.42-2 --> "C:\Program Files\WinHTTrack\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6905 / Error
Event Submitted/Written: 07/07/2008 06:31:41 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type6904 / Error
Event Submitted/Written: 07/07/2008 06:26:44 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type6900 / Error
Event Submitted/Written: 07/07/2008 04:51:44 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type6899 / Error
Event Submitted/Written: 07/07/2008 04:41:41 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type6898 / Error
Event Submitted/Written: 07/07/2008 03:18:44 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type548 / Warning
Event Submitted/Written: 07/07/2008 02:34:53 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type529 / Warning
Event Submitted/Written: 07/06/2008 02:50:18 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type528 / Warning
Event Submitted/Written: 07/04/2008 02:02:04 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type527 / Warning
Event Submitted/Written: 07/04/2008 01:14:31 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type526 / Warning
Event Submitted/Written: 07/04/2008 06:45:09 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-07 19:54:45 ------------

BC AdBot (Login to Remove)

 


m

#2 middle of nowhere

middle of nowhere

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 31 July 2008 - 07:35 AM

Sorry for the delay

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.
Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.

Middle of Nowhere

#3 middle of nowhere

middle of nowhere

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 31 July 2008 - 07:39 AM

Hi pattitude

I need you to do the following:
  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
    • Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
Also can you please post a new Hijack This log.

Please let me know if you get any problems.

Many Thanks
Middle of Nowhere




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users