Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob.DNSChanger.Rtfk


  • Please log in to reply
22 replies to this topic

#1 Nezu

Nezu

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 26 November 2008 - 05:16 PM

So, I scanned my computer with SpyBot S&B because I noticed a slowness running through my computer and the scan came up with an old "friend" of mine again. This is probably my fourth time getting this trojan and is usually deleted after my first scan and then a second one to confirm but always comes back. Below is a HijackThis report and I've attached a screen shot of what SpyBot has found and where it is located in my registries. Please help. :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:42 PM, on 11/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\VM_STI.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Electronic Arts\EADM\Core.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\WINDOWS\system32\nvsvc32.exe
e:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\WINDOWS\regedit.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\WINDOWS\system32\mspaint.exe
E:\Documents and Settings\Nezu\Desktop\HJT Folder\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - E:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] E:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Unknown owner - E:\WINDOWS\System32\appdrvrem01.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c94141d2af585a) (gupdate1c94141d2af585a) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPTools - Unknown owner - E:\Documents and Settings\Nezu\Desktop\sniffer\iptools.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - E:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:56 AM

Posted 12 December 2008 - 04:04 PM

Hello Nezu,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 12 December 2008 - 04:26 PM

In good time all questions are answered. :thumbsup: Yeah, I still have the bugger hanging about here somewhere and the image I've attached is still as accurate as ever, so here's my new log::

And thanks for the welcome, hope someone can help. :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:58 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\WINDOWS\system32\nvsvc32.exe
e:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\VM_STI.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Electronic Arts\EADM\Core.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\PROGRA~1\AVG\AVG8\avgscanx.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Documents and Settings\Nezu\Desktop\HJT Folder\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - E:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] E:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DW6] "E:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Unknown owner - E:\WINDOWS\System32\appdrvrem01.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c94141d2af585a) (gupdate1c94141d2af585a) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPTools - Unknown owner - E:\Documents and Settings\Nezu\Desktop\sniffer\iptools.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - E:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11316 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:56 AM

Posted 12 December 2008 - 04:54 PM

Hello,

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 14 December 2008 - 06:15 PM

Sorry for the long reply, things been a bit hectic on my end, so here are my new logs:

ComboFix 08-12-12.02 - Nezu 2008-12-14 14:14:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.557 [GMT -8:00]
Running from: e:\documents and settings\Nezu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\grecorder.dll
e:\windows\system32\kdrxg.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 13:47 . 2008-12-12 13:49 1,393 --a------ e:\windows\imsins.BAK
2008-11-27 14:26 . 2008-11-27 14:26 <DIR> d-------- e:\documents and settings\Nezu\Application Data\OpenOffice.org
2008-11-27 09:54 . 2008-11-27 09:54 <DIR> d-------- e:\program files\OpenOffice.org 3
2008-11-27 09:54 . 2008-11-27 09:54 <DIR> d-------- e:\program files\JRE
2008-11-26 17:53 . 2008-11-26 17:53 <DIR> d-------- e:\program files\NStorm
2008-11-23 18:02 . 2008-12-04 17:33 <DIR> d-------- e:\documents and settings\All Users\Application Data\Autodesk
2008-11-23 17:57 . 2008-12-04 17:37 <DIR> d-------- e:\program files\Common Files\Autodesk Shared
2008-11-20 00:00 . 2008-11-20 00:00 46,056 --ah----- e:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 22:27 92,784,672 --sha-w e:\windows\system32\drivers\fidbox.dat
2008-12-14 22:27 --------- d-----w e:\documents and settings\Nezu\Application Data\skypePM
2008-12-14 22:27 --------- d-----w e:\documents and settings\Nezu\Application Data\Skype
2008-12-14 22:26 --------- d-----w e:\program files\DNA
2008-12-14 22:26 --------- d-----w e:\documents and settings\Nezu\Application Data\DNA
2008-12-14 22:23 1,090,004 --sha-w e:\windows\system32\drivers\fidbox.idx
2008-12-14 11:26 --------- d-----w e:\program files\LogMeIn
2008-12-12 15:24 --------- d-----w e:\documents and settings\All Users\Application Data\avg8
2008-12-11 17:53 --------- d-----w e:\documents and settings\Nezu\Application Data\Azureus
2008-12-09 17:27 --------- d-----w e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 01:32 2,809,344 ----a-w e:\windows\Internet Logs\xDB5.tmp
2008-12-01 03:05 --------- d-----w e:\program files\Google
2008-11-27 17:53 --------- d-----w e:\program files\OpenOffice.org 2.4
2008-11-27 17:18 --------- d-----w e:\documents and settings\Nezu\Application Data\OpenOffice.org2
2008-11-25 20:59 --------- d-----w e:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-24 02:10 --------- d-----w e:\program files\Autodesk
2008-11-23 17:08 --------- d-----w e:\program files\Azureus
2008-11-21 05:00 3,227,648 ----a-w e:\windows\Internet Logs\xDB3.tmp
2008-11-21 05:00 2,726,912 ----a-w e:\windows\Internet Logs\xDB4.tmp
2008-11-14 07:51 --------- d-----w e:\program files\Guild Wars
2008-11-11 20:20 4,944,751 ----a-w e:\windows\system32\xa84046906.exe
2008-11-11 20:20 4,944,751 ----a-w e:\windows\system32\xa84045968.exe
2008-11-11 20:19 4,944,751 ----a-w e:\windows\system32\xa83936187.exe
2008-11-11 20:19 4,944,751 ----a-w e:\windows\system32\xa83935000.exe
2008-11-11 01:31 --------- d-----w e:\program files\Skype
2008-11-09 17:29 --------- d-----w e:\documents and settings\Nezu\Application Data\Red Alert 3
2008-11-09 01:48 --------- d-----w e:\program files\Electronic Arts
2008-11-06 16:36 --------- d-----w e:\program files\Oxin's Style!
2008-11-03 15:25 --------- d-----w e:\program files\Common Files\INCA Shared
2008-11-03 07:27 --------- d-----w e:\program files\Gpotato
2008-10-30 14:51 --------- d-----w e:\program files\Spybot - Search & Destroy
2008-10-29 17:38 --------- d-----w e:\program files\SSI
2008-10-27 00:04 27,904 ----a-w e:\windows\system32\drivers\ndisprot.sys
2008-10-26 20:43 --------- d-----w e:\documents and settings\Nezu\Application Data\Subversion
2008-10-24 15:45 --------- d-----w e:\documents and settings\All Users\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w e:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w e:\windows\system32\gdi32.dll
2008-10-23 03:14 --------- d--h--w e:\program files\InstallShield Installation Information
2008-10-23 03:13 --------- d-----w e:\program files\Veoh Networks
2008-10-18 21:25 --------- d-----w e:\program files\SecondLife
2008-10-17 04:45 410,976 ----a-w e:\windows\system32\deploytk.dll
2008-10-17 04:45 --------- d-----w e:\program files\Java
2008-10-17 03:35 87,352 ----a-w e:\windows\system32\LMIinit.dll
2008-10-17 03:35 83,288 ----a-w e:\windows\system32\LMIRfsClientNP.dll
2008-10-17 03:35 28,984 ----a-w e:\windows\system32\LMIport.dll
2008-10-17 03:35 23,736 ----a-w e:\windows\system32\lmimirr.dll
2008-10-17 03:35 10,040 ----a-w e:\windows\system32\lmimirr2.dll
2008-10-17 01:55 --------- d-----w e:\documents and settings\Nezu\Application Data\Aptana
2008-10-17 01:22 --------- d-----w e:\program files\Aptana
2008-10-16 22:13 202,776 ----a-w e:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w e:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w e:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w e:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w e:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w e:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w e:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w e:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w e:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w e:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w e:\windows\system32\wininet.dll
2008-10-13 14:19 4,128,921 ----a-w e:\windows\Internet Logs\tvDebug.zip
2008-10-03 10:15 247,326 ----a-w e:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w e:\windows\system32\msxml4.dll
2008-09-21 22:04 69,632 ----a-w e:\windows\system32\CheckRevision.dll
2008-09-21 05:42 2,986,496 ----a-w e:\windows\Internet Logs\xDB2.tmp
2008-09-15 11:57 1,846,016 ----a-w e:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Google Update"="e:\documents and settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-27 133104]
"Messenger (Yahoo!)"="e:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"EA Core"="e:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"MsnMsgr"="e:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="e:\program files\DNA\btdna.exe" [2008-11-12 342336]
"DW6"="e:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-10-06 793712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="e:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="e:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="e:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Acronis Scheduler2 Service"="e:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"BigDogPath"="e:\windows\VM_STI.EXE" [2003-01-21 40960]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"LogMeIn GUI"="e:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-10-16 144792]
"nwiz"="nwiz.exe" [2007-12-05 e:\windows\system32\nwiz.exe]
"C-Media Mixer"="Mixer.exe" [2002-10-15 e:\windows\mixer.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 e:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 e:\windows\KHALMNPR.Exe]

e:\documents and settings\Nezu\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - e:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-15 67128]
Logitech SetPoint.lnk - e:\program files\Logitech\SetPoint\SetPoint.exe [2008-05-15 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"system"="kdrxg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 e:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 e:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"e:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"e:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"e:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"e:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"e:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;e:\windows\system32\DRIVERS\nvcchflt.sys [2008-04-29 16640]
R1 appdrv01;Application Driver (01);e:\windows\system32\Drivers\appdrv01.sys [2008-09-16 2915944]
R1 AvgLdx86;AVG AVI Loader Driver x86;e:\windows\system32\Drivers\avgldx86.sys [2008-04-28 97928]
R2 avg8emc;AVG8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [2008-07-02 875288]
R2 avg8wd;AVG8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 231704]
R2 AvgTdiX;AVG8 Network Redirector;e:\windows\system32\Drivers\avgtdix.sys [2008-04-28 76040]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\e:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\e:\windows\system32\drivers\LMIRfsDriver.sys [2008-09-17 47640]
R2 vnccom;vnccom;e:\windows\system32\Drivers\vnccom.SYS [2008-09-17 6016]
R2 WinDefend;Windows Defender;"e:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S2 appdrvrem01;Application Driver Auto Removal Service (01);e:\windows\System32\appdrvrem01.exe svc []
S2 gupdate1c94141d2af585a;Google Update Service (gupdate1c94141d2af585a);"e:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-11-07 133104]
S3 IPTools;IPTools;e:\documents and settings\Nezu\Desktop\sniffer\iptools.exe [2008-07-17 5960192]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\e:\windows\system32\drivers\Ndisprot.sys [2008-10-26 27904]
S3 NPF;NetGroup Packet Filter Driver;e:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 radpms;Driver for RADPMS Device;e:\windows\system32\DRIVERS\radpms.sys [2008-07-24 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"e:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5a04a9c-946e-11dd-8a12-0000e8133f7a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-14 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 06:54]

2008-12-14 e:\windows\Tasks\GoogleUpdateTaskUser.job
- e:\documents and settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-27 17:56]

2008-12-14 e:\windows\Tasks\MP Scheduled Scan.job
- e:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - e:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: Microsoft XML Parser for Java - file:///E:/WINDOWS/Java/classes/xmldso.cab
e:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - e:\documents and settings\Nezu\Application Data\Mozilla\Firefox\Profiles\lboq8djn.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: e:\documents and settings\Nezu\Application Data\Mozilla\Firefox\Profiles\lboq8djn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: e:\documents and settings\Nezu\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: e:\program files\DNA\plugins\npbtdna.dll
FF - plugin: e:\program files\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF - plugin: e:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: e:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: e:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
FF - plugin: e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: e:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
inffile=e:\program files\Notepad3\Notepad3.exe %1
inifile=e:\program files\Notepad3\Notepad3.exe %1
txtfile=e:\program files\Notepad3\Notepad3.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 14:24:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
e:\program files\common files\logitech\bluetooth\LBTWlgn.dll
e:\windows\system32\LMIinit.dll
e:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
e:\windows\system32\ZoneLabs\vsmon.exe
e:\program files\Common Files\Seagate\Schedule2\schedul2.exe
e:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\LogMeIn\x86\ramaint.exe
e:\program files\LogMeIn\x86\LogMeIn.exe
e:\program files\LogMeIn\x86\LMIGuardian.exe
e:\program files\AVG\AVG8\avgrsx.exe
e:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
e:\windows\system32\nvsvc32.exe
e:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
e:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
e:\windows\system32\rundll32.exe
e:\program files\LogMeIn\x86\LMIGuardian.exe
e:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
e:\program files\Skype\Plugin Manager\skypePM.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-14 14:36:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 22:35:33

Pre-Run: 533,905,592,320 bytes free
Post-Run: 533,938,229,248 bytes free

279 --- E O F --- 2008-12-12 21:50:00


-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:24 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\WINDOWS\system32\nvsvc32.exe
e:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
E:\WINDOWS\Mixer.exe
E:\WINDOWS\VM_STI.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Electronic Arts\EADM\Core.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\AVG\AVG8\avgtray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Nezu\Desktop\HJT Folder\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - E:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] E:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DW6] "E:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Unknown owner - E:\WINDOWS\System32\appdrvrem01.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c94141d2af585a) (gupdate1c94141d2af585a) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPTools - Unknown owner - E:\Documents and Settings\Nezu\Desktop\sniffer\iptools.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - E:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10978 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:56 AM

Posted 14 December 2008 - 06:32 PM

Hello,

No need to apologize. Real life has a way of happening huh? :thumbsup:

Please do a Windows Search for this file: kdrxg.exe and delete it if it comes up. How is it running now? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 14 December 2008 - 06:37 PM

I've done that a few times in the past, plus also wiping it out from the registry level as well and it still keeps coming back, my thoughts is is that it may be safelisted by S&B, but I cannot find it in S&B's lists either.. Will try again.

Oh, ComboFix rebooted my computer and with that happening, my security systems all loaded back up and now my Active Shield on AVG Free is not longer active and everything tries to load into IE instead of FireFox now. >.> Guessing I should probably just reinstall the two or repair the two from their respective installers?

#8 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 14 December 2008 - 06:41 PM

I've done that a few times in the past, plus also wiping it out from the registry level as well and it still keeps coming back, my thoughts is is that it may be safelisted by S&B, but I cannot find it in S&B's lists either.. Will try again.

Oh, ComboFix rebooted my computer and with that happening, my security systems all loaded back up and now my Active Shield on AVG Free is not longer active and everything tries to load into IE instead of FireFox now. >.> Guessing I should probably just reinstall the two or repair the two from their respective installers?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:56 AM

Posted 14 December 2008 - 06:42 PM

Just reset FF as your default in the settings. That was supposed to happen actually.....and maybe even an IE icon on your desktop? :) Open AVG and see if you can reactivate the resident shield. If not, then yes, go ahead and get a fresh copy.

What is S&B? :thumbsup: And you've done a search for the file before? ComboFix said the file was deleted, but I want to be sure.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 14 December 2008 - 06:42 PM

I've done that a few times in the past, plus also wiping it out from the registry level as well and it still keeps coming back, my thoughts is is that it may be safelisted by S&B, but I cannot find it in S&B's lists either.. Will try again.

Oh, ComboFix rebooted my computer and with that happening, my security systems all loaded back up and now my Active Shield on AVG Free is not longer active and everything tries to load into IE instead of FireFox now. >.> Guessing I should probably just reinstall the two or repair the two from their respective installers?

#11 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 14 December 2008 - 06:45 PM

S&B and is SpyBot Search and Destroy. And to the rest, okiedokies. :thumbsup: Thank you for the help, I will let you know if kdrxg.exe keeps coming back.

#12 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 15 December 2008 - 10:52 AM

I hate to be a nuisance TeaCup and I really appreciate all that you've done to help me.. But that thing is still there...

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:56 AM

Posted 15 December 2008 - 05:17 PM

Hello,

You aren't being a nuisance. :thumbsup: Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Now go grab a fresh copy :

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:56 AM

Posted 15 December 2008 - 05:50 PM

Also please give this a run:

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Nezu

Nezu
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:01:56 AM

Posted 18 December 2008 - 10:24 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:37 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
e:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
E:\WINDOWS\Mixer.exe
E:\WINDOWS\VM_STI.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Electronic Arts\EADM\Core.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\DNA\btdna.exe
E:\Documents and Settings\Nezu\Desktop\HJT Folder\HiJackThis.exe
E:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Skype\Plugin Manager\skypePM.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - E:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] E:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DW6] "E:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - E:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Unknown owner - E:\WINDOWS\System32\appdrvrem01.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c94141d2af585a) (gupdate1c94141d2af585a) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPTools - Unknown owner - E:\Documents and Settings\Nezu\Desktop\sniffer\iptools.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - E:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11296 bytes

------------------------------------

ComboFix 08-12-18.01 - Nezu 2008-12-18 18:57:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1463 [GMT -8:00]
Running from: e:\documents and settings\Nezu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\kdrxg.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-11-27 14:26 . 2008-11-27 14:26 <DIR> d-------- e:\documents and settings\Nezu\Application Data\OpenOffice.org
2008-11-27 09:54 . 2008-11-27 09:54 <DIR> d-------- e:\program files\OpenOffice.org 3
2008-11-27 09:54 . 2008-11-27 09:54 <DIR> d-------- e:\program files\JRE
2008-11-26 17:53 . 2008-11-26 17:53 <DIR> d-------- e:\program files\NStorm
2008-11-23 18:02 . 2008-12-04 17:33 <DIR> d-------- e:\documents and settings\All Users\Application Data\Autodesk
2008-11-23 17:57 . 2008-12-04 17:37 <DIR> d-------- e:\program files\Common Files\Autodesk Shared
2008-11-20 00:00 . 2008-11-20 00:00 46,056 --ah----- e:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 03:07 --------- d-----w e:\documents and settings\Nezu\Application Data\skypePM
2008-12-19 03:06 94,529,568 --sha-w e:\windows\system32\drivers\fidbox.dat
2008-12-19 03:06 --------- d-----w e:\program files\DNA
2008-12-19 03:06 --------- d-----w e:\documents and settings\Nezu\Application Data\Skype
2008-12-19 03:06 --------- d-----w e:\documents and settings\Nezu\Application Data\DNA
2008-12-19 03:03 --------- d-----w e:\program files\LogMeIn
2008-12-19 03:02 1,110,596 --sha-w e:\windows\system32\drivers\fidbox.idx
2008-12-19 02:48 --------- d-----w e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 14:35 5,936,548 ----a-w e:\windows\Internet Logs\tvDebug.zip
2008-12-15 06:20 --------- d-----w e:\documents and settings\All Users\Application Data\avg8
2008-12-11 17:53 --------- d-----w e:\documents and settings\Nezu\Application Data\Azureus
2008-12-06 01:32 2,809,344 ----a-w e:\windows\Internet Logs\xDB5.tmp
2008-12-01 03:05 --------- d-----w e:\program files\Google
2008-11-27 17:53 --------- d-----w e:\program files\OpenOffice.org 2.4
2008-11-27 17:18 --------- d-----w e:\documents and settings\Nezu\Application Data\OpenOffice.org2
2008-11-25 20:59 --------- d-----w e:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-24 02:10 --------- d-----w e:\program files\Autodesk
2008-11-23 17:08 --------- d-----w e:\program files\Azureus
2008-11-21 05:00 3,227,648 ----a-w e:\windows\Internet Logs\xDB3.tmp
2008-11-21 05:00 2,726,912 ----a-w e:\windows\Internet Logs\xDB4.tmp
2008-11-14 07:51 --------- d-----w e:\program files\Guild Wars
2008-11-11 01:31 --------- d-----w e:\program files\Skype
2008-11-09 17:29 --------- d-----w e:\documents and settings\Nezu\Application Data\Red Alert 3
2008-11-09 01:48 --------- d-----w e:\program files\Electronic Arts
2008-11-06 16:36 --------- d-----w e:\program files\Oxin's Style!
2008-11-03 15:25 --------- d-----w e:\program files\Common Files\INCA Shared
2008-11-03 07:27 --------- d-----w e:\program files\Gpotato
2008-10-30 14:51 --------- d-----w e:\program files\Spybot - Search & Destroy
2008-10-29 17:38 --------- d-----w e:\program files\SSI
2008-10-27 00:04 27,904 ----a-w e:\windows\system32\drivers\ndisprot.sys
2008-10-26 20:43 --------- d-----w e:\documents and settings\Nezu\Application Data\Subversion
2008-10-24 15:45 --------- d-----w e:\documents and settings\All Users\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w e:\windows\system32\drivers\mrxsmb.sys
2008-10-23 03:14 --------- d--h--w e:\program files\InstallShield Installation Information
2008-10-23 03:13 --------- d-----w e:\program files\Veoh Networks
2008-09-21 05:42 2,986,496 ----a-w e:\windows\Internet Logs\xDB2.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Google Update"="e:\documents and settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-27 133104]
"Messenger (Yahoo!)"="e:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"EA Core"="e:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"MsnMsgr"="e:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="e:\program files\DNA\btdna.exe" [2008-11-12 342336]
"DW6"="e:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-10-06 793712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="e:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="e:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="e:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Acronis Scheduler2 Service"="e:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"BigDogPath"="e:\windows\VM_STI.EXE" [2003-01-21 40960]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"LogMeIn GUI"="e:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-10-16 144792]
"nwiz"="nwiz.exe" [2007-12-05 e:\windows\system32\nwiz.exe]
"C-Media Mixer"="Mixer.exe" [2002-10-15 e:\windows\mixer.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 e:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 e:\windows\KHALMNPR.Exe]

e:\documents and settings\Nezu\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - e:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-15 67128]
Logitech SetPoint.lnk - e:\program files\Logitech\SetPoint\SetPoint.exe [2008-05-15 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"system"="kdrxg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 e:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 e:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"e:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"e:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"e:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"e:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"e:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;e:\windows\system32\DRIVERS\nvcchflt.sys [2008-04-29 16640]
R1 appdrv01;Application Driver (01);e:\windows\system32\Drivers\appdrv01.sys [2008-09-16 2915944]
R1 AvgLdx86;AVG AVI Loader Driver x86;e:\windows\system32\Drivers\avgldx86.sys [2008-04-28 97928]
R2 avg8emc;AVG8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [2008-07-02 875288]
R2 avg8wd;AVG8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 231704]
R2 AvgTdiX;AVG8 Network Redirector;e:\windows\system32\Drivers\avgtdix.sys [2008-04-28 76040]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\e:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\e:\windows\system32\drivers\LMIRfsDriver.sys [2008-09-17 47640]
R2 vnccom;vnccom;e:\windows\system32\Drivers\vnccom.SYS [2008-09-17 6016]
R2 WinDefend;Windows Defender;"e:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S2 appdrvrem01;Application Driver Auto Removal Service (01);e:\windows\System32\appdrvrem01.exe svc []
S2 gupdate1c94141d2af585a;Google Update Service (gupdate1c94141d2af585a);"e:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-11-07 133104]
S3 IPTools;IPTools;e:\documents and settings\Nezu\Desktop\sniffer\iptools.exe [2008-07-17 5960192]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\e:\windows\system32\drivers\Ndisprot.sys [2008-10-26 27904]
S3 NPF;NetGroup Packet Filter Driver;e:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 radpms;Driver for RADPMS Device;e:\windows\system32\DRIVERS\radpms.sys [2008-07-24 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"e:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5a04a9c-946e-11dd-8a12-0000e8133f7a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-19 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 06:54]

2008-12-19 e:\windows\Tasks\GoogleUpdateTaskUser.job
- e:\documents and settings\Nezu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-27 17:56]

2008-12-19 e:\windows\Tasks\MP Scheduled Scan.job
- e:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - e:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: Microsoft XML Parser for Java - file:///E:/WINDOWS/Java/classes/xmldso.cab
e:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - e:\documents and settings\Nezu\Application Data\Mozilla\Firefox\Profiles\lboq8djn.default\
FF - prefs.js: network.proxy.type - 4
FF - component: e:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: e:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: e:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: e:\documents and settings\Nezu\Application Data\Mozilla\Firefox\Profiles\lboq8djn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
FF - plugin: e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: e:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.
.
------- File Associations -------
.
inffile=e:\program files\Notepad3\Notepad3.exe %1
inifile=e:\program files\Notepad3\Notepad3.exe %1
txtfile=e:\program files\Notepad3\Notepad3.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 19:04:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
e:\program files\common files\logitech\bluetooth\LBTWlgn.dll
e:\windows\system32\LMIinit.dll
e:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Seagate\Schedule2\schedul2.exe
e:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\LogMeIn\x86\ramaint.exe
e:\program files\LogMeIn\x86\LogMeIn.exe
e:\program files\AVG\AVG8\avgrsx.exe
e:\program files\LogMeIn\x86\LMIGuardian.exe
e:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
e:\windows\system32\nvsvc32.exe
e:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
e:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
e:\windows\system32\rundll32.exe
e:\program files\LogMeIn\x86\LMIGuardian.exe
e:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
e:\program files\Skype\Plugin Manager\skypePM.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-18 19:16:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-19 03:15:07
ComboFix2.txt 2008-12-14 22:37:01

Pre-Run: 531,611,799,552 bytes free
Post-Run: 531,646,410,752 bytes free

245 --- E O F --- 2008-12-18 15:13:05


------------------

GooredFix v1.5 by jpshortstuff
Log created at 19:22 on 18/12/2008 running Option #1

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="E:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="E:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="E:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="E:\Program Files\Google\Google Gears\Firefox\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="E:\Program Files\Java\jre6\lib\deploy\jqs\ff"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users