Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

twext.exe/Kryptik.AR trojan + foxmalder.cn/Statik application


  • This topic is locked This topic is locked
8 replies to this topic

#1 Ch0yc3

Ch0yc3

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 29 October 2008 - 12:34 AM

(I had previously placed this post in the "Am I infected? What do I do?" forum, but I think that may have been inappropriate. I have cleared the text in order for it to be deleted.)


Windows XP Pro version 2002, service pack 2

I have ESET NOD32 virus software and SUPERAntiSpyware installed.

I've been having various problems with Spyware and virae of late.

- twext.exe - Variant of Win32/Kryptik.AR trojan, in system32 but unable to delete.

- h t t p : / / foxmalder.cn/loader.exe - Variant of Win32/Statik application

Running ComboFix seems to have had a positive effect. I know it states not to run this before posting, but I already had as I came here from another site. Before ComboFix the 'foxmalder' alert came up every minute from NOD32, even when Terminated and Quarantined, so perhaps it was copying itself.

Hijack this was unable to delete the twext.exe file, and it was impossible to manually delete in safe mode. Since running ComboFix both problems seem to have been solved, but I'm worried about the security of my machine.

I used to have BillP Studio's WinPatrol running from startup, and I didn't have so many problems, I guess as it prompted when objects were trying to run or download onto the system. Unfortunately others using the PC were irritated by the intrusion. Is it a useful piece of protection?

I haven't posted the ComboFix logfile, but I have it if necessary. Here is the HijackThis logfile:


HIJACK THIS LOGFILE:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:29:58, on 29/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Lee\Desktop\Desktop Sept 08\majorgeeks.com\NEW Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127098826453
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 3854 bytes

-

Is there anything else dangerous? Your expert advice would be much appreciated.

.

Edited by Ch0yc3, 29 October 2008 - 12:39 AM.


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:27 PM

Posted 29 October 2008 - 08:09 AM

Hey Ch0yc3,

Welcome to BleepingComputer Forums! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. ;)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ch0yc3

Ch0yc3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 29 October 2008 - 07:35 PM

Hey Ltangelic, it's great to have your assistance. I thought it may be important to tell you that ComboFix found the RootKit malware present when I ran it previously. Hope this is of some help.

Ch0yc3

#4 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:27 PM

Posted 30 October 2008 - 05:56 AM

Hey Ch0yc3,

Thanks for informing me about the ComboFix log, is it possible for you to post ComboFix.txt on here for me to see? Please don't attach it though. Thanks. :thumbsup:

I don't see much in your log, please download the tool below and follow the instructions carefully. :)
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized) and don't attach the logs unless told.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#5 Ch0yc3

Ch0yc3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 30 October 2008 - 08:20 PM

COMBOFIX LOG:

ComboFix 08-10-28.01 - Lee 2008-10-29 4:24:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.323 [GMT 0:00]
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\twain_32
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds
C:\Documents and Settings\NetworkService\Application Data\twain_32
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds
C:\WINDOWS\system32\twain_32
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
C:\WINDOWS\system32\twext.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-29 02:46 . 2008-10-29 02:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-29 02:46 . 2008-10-29 02:46 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-10-29 02:46 . 2008-10-29 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-29 01:26 . 2008-10-29 01:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-29 01:26 . 2008-10-29 01:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-21 22:24 . 2008-10-21 22:24 260 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-10-21 21:59 . 2008-10-29 02:47 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-10-21 21:50 . 2008-10-29 02:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-20 20:07 . 2008-10-20 20:08 <DIR> d-------- C:\Program Files\Real Alternative
2008-10-16 01:16 . 2008-10-16 01:17 695,642 --a------ C:\WINDOWS\unins000.exe
2008-10-16 01:16 . 2008-10-16 01:17 8,871 --a------ C:\WINDOWS\unins000.dat
2008-10-16 00:02 . 2007-08-08 08:52 185,856 --a------ C:\WINDOWS\system32\drivers\rig3usb.sys
2008-10-16 00:02 . 2007-08-08 08:52 25,600 --a------ C:\WINDOWS\system32\drivers\rig3avs.sys
2008-10-16 00:00 . 2008-10-16 00:00 <DIR> d-------- C:\Program Files\Common Files\Native Instruments
2008-10-16 00:00 . 2008-10-16 00:00 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-10-15 23:56 . 2008-10-16 00:02 <DIR> d-------- C:\Program Files\Native Instruments
2008-10-08 10:57 . 2008-10-08 10:57 <DIR> d-------- C:\Program Files\Medieval Software
2008-09-29 23:43 . 2008-09-29 23:43 <DIR> d-------- C:\Program Files\Renoise 1.9.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-29 02:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-29 02:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:39 --------- d-----w C:\Program Files\Eset
2008-10-20 20:05 --------- d-----w C:\Program Files\Common Files\Real
2008-10-19 19:45 --------- d-----w C:\Program Files\Soulseek
2008-10-17 23:02 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-10-08 09:33 --------- d-----w C:\Program Files\Waves
2008-09-30 01:07 --------- d-----w C:\Program Files\uTorrent
2008-09-25 12:02 --------- d-----w C:\Documents and Settings\Dad\Application Data\Talkback
2008-09-17 18:37 --------- d-----w C:\Documents and Settings\Lee\Application Data\Renoise
2008-09-15 18:27 --------- d-----w C:\Documents and Settings\mum\Application Data\Talkback
2008-09-15 14:18 --------- d-----w C:\Program Files\xStarter
2008-09-15 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 01:15 --------- d-----w C:\Documents and Settings\Lee\Application Data\Talkback
2008-09-14 23:43 --------- d-----w C:\Program Files\Lavasoft
2008-09-14 23:43 --------- d-----w C:\Documents and Settings\Lee\Application Data\Lavasoft
2008-09-14 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-14 20:12 --------- d-----w C:\Program Files\TeaTimer (Spybot - Search & Destroy)
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-26 917504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoSMMyDocs"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=

R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 53248]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 9264]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 96352]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 85696]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\imy5i5ud.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsid.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 04:32:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Eset\nod32krn.exe
.
**************************************************************************
.
Completion time: 2008-10-29 4:42:45 - machine was rebooted [Lee]
ComboFix-quarantined-files.txt 2008-10-29 04:42:37

Pre-Run: 1,075,765,248 bytes free
Post-Run: 1,002,352,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

163

-

#6 Ch0yc3

Ch0yc3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 30 October 2008 - 08:23 PM

RSIT LOG.TXT :

Logfile of random's system information tool 1.04 (written by random/random)
Run by Lee at 2008-10-31 01:17:04
Microsoft Windows XP Professional Service Pack 2
System drive C: has 815 MB (4%) free of 20 GB
Total RAM: 511 MB (46% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:17:21, on 31/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Lee\Desktop\RSIT.exe
C:\Documents and Settings\Lee\Desktop\Desktop Sept 08\majorgeeks.com\NEW Hijack This\Lee.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127098826453
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 3930 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2007-06-26 917504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoBandCustomize"=0
"NoSMMyDocs"=1
"Intellimenus"=1
"NoInstrumentation"=1
"MemCheckBoxInRunDlg"=1
"NoAutoTrayNotify"=1
"NoSimpleStartMenu"=1
"NoSMConfigurePrograms"=1
"NoStartMenuMFUprogramsList"=1
"NoSMHelp"=1
"NoSMMyPictures"=1
"NoStartMenuMyMusic"=1
"NoStartMenuSubFolders"=1
"ForceStartMenuLogOff"=1
"NoDesktopCleanupWizard"=1
"ForceClassicControlPanel"=1
"NoSharedDocuments"=1
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"ForceClassicControlPanel"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\ABC\abc.exe"="C:\Program Files\ABC\abc.exe:*:Enabled:abc"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\WINDOWS\system32\svchost.exe"="C:\WINDOWS\system32\svchost.exe:*:Enabled:svchost"
"C:\Documents and Settings\Dad\Local Settings\Application Data\Skype\Phone\Skype.exe"="C:\Documents and Settings\Dad\Local Settings\Application Data\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-10-31 01:17:04 ----D---- C:\rsit
2008-10-30 04:18:35 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-29 05:37:12 ----SHD---- C:\RECYCLER
2008-10-29 04:42:54 ----D---- C:\WINDOWS\temp
2008-10-29 04:42:47 ----A---- C:\ComboFix.txt
2008-10-29 04:19:40 ----A---- C:\Boot.bak
2008-10-29 04:19:21 ----RASHD---- C:\cmdcons
2008-10-29 02:55:39 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-29 02:55:36 ----A---- C:\WINDOWS\zip.exe
2008-10-29 02:55:36 ----A---- C:\WINDOWS\SWREG.exe
2008-10-29 02:55:36 ----A---- C:\WINDOWS\grep.exe
2008-10-29 02:55:35 ----A---- C:\WINDOWS\VFIND.exe
2008-10-29 02:55:35 ----A---- C:\WINDOWS\sed.exe
2008-10-29 02:55:35 ----A---- C:\WINDOWS\fdsv.exe
2008-10-29 02:55:33 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-29 02:55:33 ----A---- C:\WINDOWS\SWSC.exe
2008-10-29 02:46:28 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-29 02:46:11 ----D---- C:\Program Files\SUPERAntiSpyware
2008-10-29 02:46:10 ----D---- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-10-29 02:36:24 ----D---- C:\WINDOWS\ERDNT
2008-10-29 02:36:24 ----D---- C:\Qoobox
2008-10-21 21:59:44 ----D---- C:\Program Files\Spyware Doctor
2008-10-21 21:50:23 ----D---- C:\Program Files\SpywareBlaster
2008-10-20 20:07:59 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-10-20 20:07:59 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-10-20 20:07:59 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-10-20 20:07:59 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-10-20 20:07:53 ----D---- C:\Program Files\Real Alternative
2008-10-20 20:07:53 ----D---- C:\Documents and Settings\All Users\Application Data\Real
2008-10-19 23:41:11 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-10-16 01:16:43 ----A---- C:\WINDOWS\unins000.exe
2008-10-16 00:00:52 ----D---- C:\Program Files\Common Files\Native Instruments
2008-10-16 00:00:31 ----D---- C:\Program Files\Common Files\Digidesign
2008-10-15 23:56:55 ----D---- C:\Program Files\Native Instruments
2008-10-08 10:57:49 ----D---- C:\Program Files\Medieval Software

======List of files/folders modified in the last 1 months======

2008-10-31 01:06:36 ----D---- C:\Program Files\Mozilla Firefox
2008-10-31 01:01:52 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-30 05:07:04 ----D---- C:\WINDOWS
2008-10-30 04:38:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-30 04:18:36 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-30 04:18:35 ----D---- C:\Program Files
2008-10-30 04:05:39 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-30 03:39:46 ----D---- C:\Program Files\Soulseek
2008-10-29 18:01:14 ----D---- C:\WINDOWS\system32
2008-10-29 05:41:55 ----SHD---- C:\WINDOWS\Installer
2008-10-29 05:41:55 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-29 05:41:53 ----SHD---- C:\Config.Msi
2008-10-29 04:31:54 ----A---- C:\WINDOWS\system.ini
2008-10-29 04:30:13 ----D---- C:\WINDOWS\system32\drivers
2008-10-29 04:28:30 ----D---- C:\WINDOWS\system32\config
2008-10-29 04:26:27 ----D---- C:\WINDOWS\AppPatch
2008-10-29 04:26:27 ----D---- C:\Program Files\Common Files
2008-10-29 04:19:41 ----RASH---- C:\boot.ini
2008-10-29 02:55:32 ----SHD---- C:\System Volume Information
2008-10-29 02:55:32 ----D---- C:\WINDOWS\system32\Restore
2008-10-26 01:49:04 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-23 01:51:58 ----A---- C:\WINDOWS\win.ini
2008-10-21 23:55:04 ----D---- C:\Documents and Settings\Lee\Application Data\Adobe
2008-10-21 23:55:04 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-21 21:39:44 ----D---- C:\Program Files\Eset
2008-10-20 20:05:02 ----D---- C:\Program Files\Common Files\Real
2008-10-19 23:41:34 ----HD---- C:\WINDOWS\inf
2008-10-19 23:41:34 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-17 23:02:51 ----D---- C:\Documents and Settings\Lee\Application Data\uTorrent
2008-10-08 09:33:16 ----D---- C:\Program Files\Waves

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [1999-09-10 25244]
R1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 AMON;AMON; \??\C:\WINDOWS\system32\drivers\amon.sys []
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 G400DH;G400DH; C:\WINDOWS\system32\DRIVERS\g400dhm.sys [2004-09-14 348800]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2005-04-15 14408]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 LVcKap;Logitech AEC Driver; C:\WINDOWS\system32\DRIVERS\LVcKap.sys [2007-02-06 1691808]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-02-06 1964064]
S3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-02-06 25632]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-02-03 41504]
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 pepifilter;Volume Adapter; C:\WINDOWS\system32\DRIVERS\lv302af.sys [2007-02-03 14240]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2007-02-03 938272]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 9264]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 96352]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 85696]
S3 w810bus;Sony Ericsson W810 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\w810bus.sys []
S3 w810mdfl;Sony Ericsson W810 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\w810mdfl.sys []
S3 w810mdm;Sony Ericsson W810 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\w810mdm.sys []
S3 w810mgmt;Sony Ericsson W810 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\w810mgmt.sys []
S3 w810obex;Sony Ericsson W810 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\w810obex.sys []
S3 wlluc48;Wireless LAN PC Card Driver; C:\WINDOWS\system32\DRIVERS\wlluc48.sys [2004-08-03 154624]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 gearsec;gearsec; C:\WINDOWS\system32\gearsec.exe [2003-12-01 53248]
R2 MGABGEXE;MGABGEXE; C:\WINDOWS\system32\mgabg.exe [2002-01-16 81920]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2007-06-26 495616]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2005-08-02 86016]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S4 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S4 LVPrcSrv;Process Monitor; c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [2007-02-06 109344]
S4 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-02-06 105248]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2007-11-18 14336]

-----------------EOF-----------------



RSIT INFO.TXT :

info.txt logfile of random's system information tool 1.04 2008-10-31 01:17:23

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"C:\Program Files\uTorrent\uninstall.exe"
7-Zip 4.23-->"C:\Program Files\7-Zip\Uninstall.exe"
ABC (remove only)-->C:\Program Files\ABC\Uninstall.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Audio/Video To MP3 Maker version 3.1-->"C:\Program Files\AV2MP3\unins000.exe"
AVI Joiner-->"C:\Program Files\avijoin\unins000.exe"
burnatonce-->"C:\Program Files\burnatonce\unins000.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CCS64 V3.5-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Computerbrains\CCS64 V3.5\Uninst.isu"
CDex extraction audio-->"C:\Program Files\CDex_150\uninstall.exe"
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
Combined Community Codec Pack 2007-02-22-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
Cool MP3 Splitter 2.2-->"C:\Program Files\Cool MP3 Splitter\unins000.exe"
Daily Brain Training 1.01-->C:\WINDOWS\iun6002.exe "C:\Program Files\Daily Brain Training\irunin.ini"
DC++ 0.674-->"C:\Program Files\DC++\uninstall.exe"
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
Emagic Logic Audio Platinum 5.5.1-->C:\PROGRA~1\emagic\LOGIC5~1\UNWISE.EXE C:\PROGRA~1\emagic\LOGIC5~1\INSTALL.LOG
FLAC Installer 1.1.2a (remove only)-->C:\Program Files\FLAC\uninstall.exe
Handbrake 0.9.2-->C:\Program Files\Handbrake\uninst.exe
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Documents and Settings\Lee\Desktop\Desktop Sept 08\majorgeeks.com\NEW Hijack This\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
InFlac 1.1.1-->"C:\Program Files\Winamp\InFlac-Uninstall.exe"
J2SE Runtime Environment 5.0 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Jasc Paint Shop Pro 9-->MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Korg Legacy Collection v1.1.9-->C:\PROGRA~1\KORGLE~1\UNWISE.EXE C:\PROGRA~1\KORGLE~1\INSTALL.LOG
Logitech Audio Echo Cancellation Component-->MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam-->MsiExec.exe /X{7D2370AC-D8E6-4996-986A-19824F8A167C}
Logitech Video Enumerator-->MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Logitech® Camera Driver-->"C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Matrox Graphics Software (remove only)-->C:\WINDOWS\system32\PDesk\PDUninst.exe
MediaCoder 0.5.1-->C:\Program Files\MediaCoder\uninst.exe
Medieval CUE Splitter-->MsiExec.exe /I{B96D2269-568B-4CBF-9332-12FAE8B158F7}
Mega Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe" -l0x9 -removeonly
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Miracle C Shareware Package-->MsiExec.exe /I{08C5E3B0-3402-4AF5-8656-2D76B80FB6ED}
MixMeister Fusion Demo-->MsiExec.exe /I{6DDB8CC8-3F13-4E72-8203-51AA081E7DE0}
MixMeister Pro 6-->MsiExec.exe /I{E39DF79E-B969-47E2-BB64-071A68871C6F}
Mobile Media Converter-->"C:\Program Files\MIKSOFT\Mobile Media Converter\unins000.exe"
Monkey's Audio-->"C:\Program Files\Monkey's Audio\unins000.exe"
Mozilla Firefox (2.0.0.17)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MVision-->MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Native Instruments - Rig Kontrol 3 Driver-->C:\Program Files\Native Instruments\Rig Kontrol 3 Driver\uninst.exe Software\Native Instruments\Rig Kontrol 3 Driver\Setup
Native Instruments Guitar Rig 3-->C:\PROGRA~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Native Instruments Service Center-->C:\PROGRA~1\NATIVE~1\SERVIC~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\SERVIC~1\INSTALL.LOG
Nero 6 Enterprise Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v1.8-->"C:\Program Files\Eset\unins000.exe"
Nokia Connectivity Cable Driver-->MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite-->MsiExec.exe /I{D89AC4DF-7A00-4D0B-BA99-D582C7974A09}
PC Connectivity Solution-->MsiExec.exe /I{AB2347E4-153B-4194-AA3B-97C0A662B369}
Power Tab Editor 1.7-->MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
Privoxy 3.0.6-->"C:\Program Files\Privoxy\privoxy_uninstall.exe"
QuickTime Alternative 1.81-->"C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.9.0-->"C:\Program Files\Real Alternative\unins000.exe"
ReBirth RB-338 2.0-->C:\PROGRA~1\PROPEL~1\REBIRT~1.0\UNWISE.EXE C:\PROGRA~1\PROPEL~1\REBIRT~1.0\INSTALL.LOG
Renoise 1.9.1-->"C:\Program Files\Renoise 1.9.1\unins000.exe"
Replay Media Catcher-->"C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Sony Sound Forge 7.0-->MsiExec.exe /I{0712667C-A171-49AE-A098-4ACDA28625F8}
SoulSeek Client 156c-->"C:\Program Files\Soulseek\uninstall.exe"
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Streambox Vcr Suite 2-->"C:\Program Files\StreamboxVcrSuite2\unins000.exe"
StudioDevil VGA 1.3-->"C:\WINDOWS\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tor 0.1.1.26-->"C:\Program Files\Tor\Uninstall.exe"
TubeHunter Ultra-->MsiExec.exe /I{6951AFF1-7E53-4BD7-AB1F-4DB10549A8FC}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
URL Snooper v2.04.03-->"C:\Program Files\URLSnooper2\unins000.exe"
Vidalia 0.0.7-->"C:\Program Files\Vidalia\uninstall.exe"
VideoLAN VLC media player 0.8.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
WinPcap 3.1-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xilisoft FLV Converter-->C:\Program Files\Xilisoft\FLV Converter 3\Uninstall.exe
xStarter-->"C:\Program Files\xStarter\unins000.exe"

Securitycenter WMI appears to be broken

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Common Files\Teleca Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=080a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

#7 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:27 PM

Posted 01 November 2008 - 09:58 AM

Hey Ch0yc3,

Important: It seems that you have cracks running on your computer. Please be aware that it is both illegal and dangerous to have cracks as many malwares are bundled with them, and this can compromise your computer security. Please follow my instructions carefully to remove the cracks on your computer.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Remove Programs

Please go to Add or Remove Programs and remove the following (if present):

NOD32 FiX v1.8
NOD32 antivirus system
µTorrent


Optional Removal (highlighted in green): uTorrent is a P2P program that can compromise your computer's security, its highly recommended that you remove it.

NEXT

Use Windows Explorer and remove the following (if present):

C:\Documents and Settings\Lee\Application Data\uTorrent
C:\Program Files\uTorrent


Reboot your computer.

Important! After you uninstall the programs above, please go to the following links provided below, download and install ONE of the anti-virus protection.

Avira Antivir (recommended)
Avast! Home Edition
AVG 8 Free

2) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll:

File::
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\Program Files\Eset

Registry::
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
3) Run Lop S+D

Disable resident protections (In your case, please disable Eset Nod32); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

4) Update Java

Your Java is out of date.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u10-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Next reply (please include):

Note: Please do NOT attach the logs and post ONE log in each post

Fresh HijackThis log
ComboFix.txt
lopR.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 03 November 2008 - 11:55 AM

Hello.

Ltangelic will be busy for the next few days, so I will be helping you.

Please complete the steps above.

With Regards,
The Panda

Edited by PropagandaPanda, 03 November 2008 - 11:55 AM.


#9 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 AM

Posted 07 November 2008 - 02:29 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users