Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DnsChanger Infection?


  • This topic is locked This topic is locked
10 replies to this topic

#1 nlfdjr

nlfdjr

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 December 2008 - 10:19 AM

I am receiveing alot of vimax ads. I also have a dns that is connected to a virus, and i can not change it. Here is my Hijack This log. I also uploaded a attachment of the log!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:18 AM, on 12/21/2008
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\TortoiseSVN\bin\TSVNCache.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
H:\WINDOWS\sm56hlpr.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\PROGRA~1\Comodo\CBOClean\BOC427.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Hamachi\hamachi.exe
H:\Program Files\OpenOffice.org 3\program\soffice.exe
H:\Program Files\OpenOffice.org 3\program\soffice.bin
H:\Program Files\Comodo\CBOClean\BOCORE.exe
H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\SearchIndexer.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\SearchProtocolHost.exe
H:\Program Files\Opera\opera.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [COMODO Internet Security] "H:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-427] H:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: hamachi.lnk = H:\Program Files\Hamachi\hamachi.exe
O4 - Startup: OpenOffice.org 3.0.lnk = H:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://H:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\nlfdjr\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.process.com/spycatcher/SpywareScanner.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14D45757-5A07-4579-BDFE-2A5770DCDAED}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFD2F84E-F13F-45BF-9D17-701D3CB1B2E4}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{14D45757-5A07-4579-BDFE-2A5770DCDAED}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{14D45757-5A07-4579-BDFE-2A5770DCDAED}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.18;85.255.112.185
O20 - AppInit_DLLs: H:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: byXRlLEw - byXRlLEw.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - H:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GBISUWIUCS - Sysinternals - www.sysinternals.com - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\GBISUWIUCS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LB - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\LB.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - H:\Program Files\WinPcap\rpcapd.exe
O23 - Service: W - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\W.exe (file missing)
O23 - Service: XBUBKMSE - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\XBUBKMSE.exe (file missing)
O23 - Service: XVIKJXDJ - Sysinternals - www.sysinternals.com - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\XVIKJXDJ.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 9859 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:54 PM

Posted 21 December 2008 - 03:29 PM

Hello nlfdjr,

Posted Image

Let's try this the easy way first :

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 nlfdjr

nlfdjr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 December 2008 - 03:46 PM

I ran it already, so i ran it again. Here is the log.
Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3, v.5657

12/21/2008 3:46:44 PM
mbam-log-2008-12-21 (15-46-44).txt

Scan type: Quick Scan
Objects scanned: 57801
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{14d45757-5a07-4579-bdfe-2a5770dcdaed}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{afd2f84e-f13f-45bf-9d17-701d3cb1b2e4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{14d45757-5a07-4579-bdfe-2a5770dcdaed}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{afd2f84e-f13f-45bf-9d17-701d3cb1b2e4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{14d45757-5a07-4579-bdfe-2a5770dcdaed}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{afd2f84e-f13f-45bf-9d17-701d3cb1b2e4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.18;85.255.112.185 -> Quarantined and deleted successfully.

Folders Infected:
H:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
H:\WINDOWS\system32\msqpdxmtvearxx.dll (Trojan.Agent) -> Delete on reboot.
H:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\drivers\msqpdxmqltoiqh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
H:\WINDOWS\Temp\tempo-711.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Edited by nlfdjr, 21 December 2008 - 03:47 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:54 PM

Posted 21 December 2008 - 03:48 PM

And a new HijackThis log please? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 nlfdjr

nlfdjr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 December 2008 - 03:59 PM

This is the new log. There is also one attached

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:58 PM, on 12/21/2008
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\TortoiseSVN\bin\TSVNCache.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
H:\WINDOWS\sm56hlpr.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\PROGRA~1\Comodo\CBOClean\BOC427.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Hamachi\hamachi.exe
H:\Program Files\OpenOffice.org 3\program\soffice.exe
H:\Program Files\OpenOffice.org 3\program\soffice.bin
H:\Program Files\Comodo\CBOClean\BOCORE.exe
H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\SearchIndexer.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Opera\opera.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [COMODO Internet Security] "H:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-427] H:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "H:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: hamachi.lnk = H:\Program Files\Hamachi\hamachi.exe
O4 - Startup: OpenOffice.org 3.0.lnk = H:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://H:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\nlfdjr\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.process.com/spycatcher/SpywareScanner.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14D45757-5A07-4579-BDFE-2A5770DCDAED}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFD2F84E-F13F-45BF-9D17-701D3CB1B2E4}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{14D45757-5A07-4579-BDFE-2A5770DCDAED}: NameServer = 85.255.116.18;85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.18;85.255.112.185
O20 - AppInit_DLLs: H:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: byXRlLEw - byXRlLEw.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - H:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BOCore - COMODO - H:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GBISUWIUCS - Sysinternals - www.sysinternals.com - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\GBISUWIUCS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LB - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\LB.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - H:\Program Files\WinPcap\rpcapd.exe
O23 - Service: W - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\W.exe (file missing)
O23 - Service: XBUBKMSE - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\XBUBKMSE.exe (file missing)
O23 - Service: XVIKJXDJ - Sysinternals - www.sysinternals.com - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\XVIKJXDJ.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 9732 bytes

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:54 PM

Posted 21 December 2008 - 04:09 PM

Thanks. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 nlfdjr

nlfdjr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 December 2008 - 05:16 PM

This is the combofix file, and the hijack this log!


ComboFix 08-12-21.02 - nlfdjr 2008-12-21 17:08:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.583 [GMT -5:00]
Running from: h:\documents and settings\nlfdjr\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\resycled
c:\resycled\boot.com
H:\Autorun.inf
h:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
h:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
h:\windows\system32\Updater.exe

----- BITS: Possible infected sites -----

hxxp://bmt2.info
.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 17:03 . 2008-12-21 17:04 <DIR> d-------- H:\32788R22FWJFW.0.tmp
2008-12-21 09:56 . 2008-12-21 09:59 <DIR> d-------- H:\fixwareout
2008-12-21 09:54 . 2008-12-21 09:54 <DIR> d-------- h:\program files\Trend Micro
2008-12-21 09:35 . 2008-12-21 09:36 <DIR> d-------- h:\program files\Eusing Free Registry Cleaner
2008-12-21 09:34 . 2008-12-21 09:34 131 --a------ h:\windows\CRC.INI
2008-12-21 09:31 . 2008-12-21 17:03 <DIR> d-------- h:\documents and settings\All Users\Application Data\BOC427
2008-12-21 09:31 . 2008-07-14 05:09 212,728 --a------ h:\windows\CMDLIC.DLL
2008-12-21 09:31 . 2008-07-14 05:09 205,560 --a------ h:\windows\UNBOC.EXE
2008-12-21 09:31 . 2007-11-30 18:26 22,528 --a------ h:\windows\system32\wsock32.dlb
2008-12-21 09:30 . 2008-12-21 16:08 9,723 --a------ h:\windows\BOC427.INI
2008-12-20 19:34 . 2008-12-20 19:34 0 --a------ h:\windows\system32\LBYQ
2008-12-20 18:59 . 2008-12-20 18:59 664 --a------ h:\windows\system32\d3d9caps.dat
2008-12-20 18:20 . 2008-12-20 18:20 0 --a------ h:\windows\system32\ELSBES
2008-12-20 18:18 . 2008-12-20 18:18 <DIR> d-------- H:\VundoFix Backups
2008-12-20 17:41 . 2008-12-20 17:41 <DIR> d-------- h:\documents and settings\Administrator.NLFDPC\Application Data\Notepad++
2008-12-20 17:36 . 2008-12-20 17:36 <DIR> d-------- h:\documents and settings\Administrator.NLFDPC\Application Data\Malwarebytes
2008-12-20 17:25 . 2008-12-20 17:25 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Malwarebytes
2008-12-20 17:24 . 2008-12-20 17:25 <DIR> d-------- h:\program files\Malwarebytes' Anti-Malware
2008-12-20 17:24 . 2008-12-20 17:24 <DIR> d-------- h:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:24 . 2008-12-03 19:52 38,496 --a------ h:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 17:24 . 2008-12-03 19:52 15,504 --a------ h:\windows\system32\drivers\mbam.sys
2008-12-20 14:38 . 2008-12-20 14:38 <DIR> d-------- h:\program files\Data Realms
2008-12-19 21:00 . 2008-12-19 21:01 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\gtk-2.0
2008-12-19 20:58 . 2008-12-19 20:59 <DIR> d-------- h:\program files\GTK2-Runtime
2008-12-19 20:57 . 2008-12-19 20:59 <DIR> d-------- h:\program files\Gnaural2
2008-12-19 20:41 . 2008-12-21 16:09 <DIR> d-------- h:\documents and settings\All Users\Application Data\_comodo_
2008-12-19 20:33 . 2007-11-14 15:18 553 --a------ h:\windows\USetup.iss
2008-12-19 20:00 . 2008-12-19 20:00 <DIR> d-------- h:\program files\BrainWave Generator
2008-12-19 17:15 . 2008-12-21 17:11 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Hamachi
2008-12-19 16:35 . 2008-12-19 16:35 108,336 --a------ h:\windows\system32\mswinsck.ocx
2008-12-19 16:28 . 2008-12-19 16:28 <DIR> d-------- h:\program files\Lavasoft
2008-12-19 16:28 . 2008-12-19 16:28 <DIR> d-------- h:\program files\Common Files\Wise Installation Wizard
2008-12-19 16:28 . 2008-12-19 16:31 <DIR> d-------- h:\documents and settings\All Users\Application Data\Lavasoft
2008-12-19 13:53 . 2008-12-19 13:53 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Unity
2008-12-19 13:49 . 2008-12-19 13:49 <DIR> d-------- h:\program files\Unity
2008-12-18 18:49 . 2008-12-18 18:52 <DIR> d-------- h:\program files\AutoCAD 2009
2008-12-18 18:49 . 2008-12-18 19:14 <DIR> d-------- h:\documents and settings\All Users\Application Data\Autodesk
2008-12-18 18:47 . 2008-12-18 18:53 <DIR> d-------- h:\program files\Common Files\Autodesk Shared
2008-12-18 18:47 . 2008-12-18 18:47 <DIR> d-------- h:\program files\Autodesk
2008-12-18 18:47 . 2008-12-18 19:26 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Autodesk
2008-12-18 17:43 . 2008-12-18 17:43 <DIR> d-------- h:\documents and settings\All Users\Application Data\Alibre Design
2008-12-18 17:42 . 2008-12-18 17:43 <DIR> d-------- h:\program files\Alibre Design
2008-12-18 16:09 . 2008-12-18 17:44 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Alibre Design
2008-12-18 16:03 . 2004-03-09 01:00 662,288 --a------ h:\windows\system32\MSCOMCT2.OCX
2008-12-18 16:03 . 1998-06-24 01:00 137,000 --a------ h:\windows\system32\MSMAPI32.OCX
2008-12-18 16:03 . 2001-10-28 17:42 116,224 --a------ h:\windows\system32\pdfcmnnt.dll
2008-12-18 16:03 . 1998-07-06 01:00 23,552 --a------ h:\windows\system32\MSMPIDE.DLL
2008-12-18 16:02 . 2008-12-18 16:04 <DIR> d-------- h:\program files\PDFCreator
2008-12-18 15:58 . 2008-12-18 15:58 36 --a------ h:\windows\system32\InstallAlibre.config
2008-12-18 15:50 . 2008-12-18 15:50 <DIR> d--h----- h:\windows\PIF
2008-12-17 18:56 . 2008-12-17 18:56 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Apple Computer
2008-12-17 18:46 . 2008-12-17 18:52 <DIR> d-------- h:\program files\PSP Wallpaper Maker
2008-12-17 17:30 . 2008-12-17 17:38 <DIR> d-------- h:\program files\PSP Brew
2008-12-17 17:30 . 2000-05-21 23:00 244,416 --a------ h:\windows\system32\msflxgrd.ocx
2008-12-17 17:30 . 2004-06-09 16:14 10,556 --a------ h:\windows\system32\drivers\filedisk.sys
2008-12-16 15:46 . 2008-12-16 15:46 <DIR> d-------- h:\program files\UltraMon
2008-12-16 15:46 . 2008-12-16 15:46 <DIR> d-------- h:\program files\Common Files\Realtime Soft
2008-12-16 15:46 . 2008-12-16 15:46 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Realtime Soft
2008-12-16 15:46 . 2008-12-16 15:46 <DIR> d-------- h:\documents and settings\All Users\Application Data\Realtime Soft
2008-12-16 10:23 . 2008-12-16 10:23 <DIR> d-------- h:\program files\PSPdisp
2008-12-16 10:21 . 2008-12-16 10:21 <DIR> d-------- h:\program files\Digital Transforms
2008-12-16 10:21 . 2003-03-18 23:19 1,060,864 --a------ h:\windows\system32\MFC71.dll
2008-12-16 09:52 . 2008-09-12 11:58 43,520 --a------ h:\windows\system32\libusb0.dll
2008-12-16 09:52 . 2008-09-12 11:58 28,672 --a------ h:\windows\system32\drivers\libusb0.sys
2008-12-15 17:55 . 2008-12-15 17:55 616,204 --a------ h:\windows\system32\PerfStringBackup.TMP
2008-12-14 18:19 . 2008-12-14 18:19 <DIR> d-------- h:\program files\2K Games
2008-12-14 18:17 . 2008-12-14 18:17 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\InstallShield
2008-12-14 18:04 . 2008-12-14 18:04 <DIR> d-------- h:\program files\Notepad++
2008-12-14 18:04 . 2008-12-16 10:01 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Notepad++
2008-12-14 17:06 . 2008-12-14 17:11 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\GrabIt
2008-12-14 17:00 . 2008-12-14 17:00 <DIR> d-------- h:\program files\GrabIt
2008-12-14 16:44 . 2008-12-14 16:45 <DIR> d-------- h:\program files\Yenka
2008-12-11 22:23 . 2008-12-11 22:23 <DIR> d-------- h:\program files\Memorex
2008-12-11 22:23 . 2007-02-15 14:14 19,840 --a------ h:\windows\system32\drivers\StMp3Rec.sys
2008-12-11 22:23 . 2006-03-21 17:09 360 --------- h:\windows\system32\drivers\StMp3Recnt.cat
2008-12-11 21:50 . 2008-12-11 21:50 <DIR> d-------- h:\program files\Mp3tag
2008-12-11 21:50 . 2008-12-11 22:00 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Mp3tag
2008-12-11 21:38 . 2008-12-11 21:48 <DIR> d-------- h:\program files\Incomplete
2008-12-10 07:02 . 2008-12-10 07:02 <DIR> d-------- h:\windows\SQLTools9_KB954606_ENU
2008-12-10 07:00 . 2008-12-10 07:00 <DIR> d-------- h:\windows\SQL9_KB954606_ENU
2008-12-09 20:46 . 2008-12-09 20:46 172 --a------ h:\windows\ODBC.INI
2008-12-09 20:45 . 2008-12-09 20:45 <DIR> d-------- h:\windows\system32\js
2008-12-09 20:45 . 2008-12-09 20:45 <DIR> d-------- h:\windows\system32\images
2008-12-09 20:45 . 2008-12-09 20:45 <DIR> d-------- h:\windows\system32\html
2008-12-09 20:45 . 2008-12-09 20:45 <DIR> d-------- h:\windows\system32\css
2008-12-09 20:45 . 2008-12-09 20:45 <DIR> d-------- h:\program files\Business Objects
2008-12-09 20:39 . 2008-12-09 20:39 <DIR> d-------- h:\program files\MSXML 6.0
2008-12-09 20:36 . 2008-12-10 07:03 <DIR> d-------- h:\program files\Microsoft SQL Server
2008-12-09 20:36 . 2008-12-09 20:36 <DIR> d-------- h:\program files\Microsoft Device Emulator
2008-12-09 20:34 . 2008-12-09 20:35 <DIR> d-------- h:\program files\Windows Mobile 5.0 SDK R2
2008-12-09 20:34 . 2008-12-09 20:34 <DIR> d-------- h:\program files\Microsoft Synchronization Services
2008-12-09 20:34 . 2008-12-09 20:34 <DIR> d-------- h:\program files\Microsoft SQL Server Compact Edition
2008-12-09 20:26 . 2008-12-09 20:26 <DIR> d-------- h:\documents and settings\All Users\Application Data\PreEmptive Solutions
2008-12-09 20:21 . 2008-12-09 20:21 <DIR> d-------- h:\windows\symbols
2008-12-09 20:19 . 2008-12-09 20:42 <DIR> d-------- h:\program files\Microsoft.NET
2008-12-09 20:19 . 2008-12-09 20:19 <DIR> d-------- h:\program files\Microsoft SDKs
2008-12-09 20:19 . 2008-12-09 20:21 <DIR> d-------- h:\program files\HTML Help Workshop
2008-12-09 20:19 . 2008-12-09 20:26 <DIR> d-------- h:\program files\Common Files\Merge Modules
2008-12-09 20:19 . 2008-12-09 20:19 <DIR> d-------- h:\program files\CE Remote Tools
2008-12-09 18:19 . 2008-12-09 20:45 <DIR> d-------- h:\program files\Microsoft Visual Studio 9.0
2008-12-09 18:17 . 2008-12-09 18:17 <DIR> d-------- h:\program files\Microsoft Web Designer Tools
2008-12-09 18:17 . 2008-12-09 18:17 <DIR> dr-h----- H:\MSOCache
2008-12-09 18:16 . 2008-12-10 06:59 <DIR> d-------- h:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-08 15:40 . 2008-12-11 21:49 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\FrostWire
2008-12-08 15:38 . 2008-12-11 21:48 <DIR> d-------- h:\program files\FrostWire
2008-12-07 19:19 . 2008-12-19 20:39 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\Free Download Manager
2008-12-07 19:18 . 2008-12-07 19:19 <DIR> d-------- h:\program files\Free Download Manager
2008-12-07 19:18 . 2008-12-07 19:18 <DIR> d-------- h:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2008-12-06 17:54 . 2008-12-06 17:54 <DIR> d-------- h:\program files\My-Proxy
2008-12-05 20:56 . 2008-12-05 20:56 <DIR> d-------- h:\documents and settings\nlfdjr\Application Data\VariCAD
2008-12-05 20:56 . 2008-12-05 20:56 <DIR> d-------- h:\documents and settings\All Users\Application Data\VariCAD
2008-12-05 20:55 . 2008-12-05 20:55 <DIR> d-------- h:\program files\VariCAD
2008-12-04 06:33 . 2008-10-16 14:06 268,648 --a------ h:\windows\system32\mucltui.dll
2008-12-04 06:33 . 2008-10-16 14:06 208,744 --a------ h:\windows\system32\muweb.dll
2008-12-04 06:33 . 2008-10-16 14:06 27,496 --a------ h:\windows\system32\mucltui.dll.mui
2008-12-03 18:44 . 2008-12-03 18:44 <DIR> d-------- h:\program files\Mutilate File Wiper
2008-12-03 18:38 . 2008-12-03 19:18 <DIR> d-------- h:\documents and settings\nlfdjr\Contacts
2008-12-03 18:37 . 2008-12-03 18:37 <DIR> d----c--- h:\windows\system32\DRVSTORE
2008-12-03 18:23 . 2008-12-03 18:36 <DIR> d-------- h:\program files\Windows Live
2008-12-03 18:23 . 2008-12-03 18:36 <DIR> d--hsc--- h:\program files\Common Files\WindowsLiveInstaller
2008-12-03 18:22 . 2008-12-03 18:35 <DIR> d-------- h:\documents and settings\All Users\Application Data\WLInstaller
2008-11-30 23:35 . 2008-11-30 23:36 <DIR> d-------- h:\program files\QuickTime
2008-11-30 23:35 . 2008-11-30 23:35 <DIR> d-------- h:\program files\Common Files\Apple
2008-11-30 23:35 . 2008-11-30 23:35 <DIR> d-------- h:\documents and settings\All Users\Application Data\Apple Computer
2008-11-30 22:19 . 2008-11-30 22:19 <DIR> d-------- h:\program files\UKE version 2.0.4 by- t3ch c0d3rz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 14:30 --------- d-----w h:\program files\COMODO
2008-12-21 01:14 --------- d-----w h:\program files\Opera
2008-12-20 22:27 --------- d-----w h:\program files\PROnetworks
2008-12-20 01:33 --------- d-----w h:\program files\Realtek
2008-12-19 21:54 --------- d-----w h:\documents and settings\nlfdjr\Application Data\uTorrent
2008-12-19 21:51 147,192 ----a-w h:\windows\system32\guard32.dll
2008-12-19 21:51 101,776 ----a-w h:\windows\system32\drivers\cmdguard.sys
2008-12-18 21:32 --------- d-----w h:\program files\PeerGuardian2
2008-12-14 23:19 --------- d--h--w h:\program files\InstallShield Installation Information
2008-12-12 21:21 --------- d-----w h:\program files\Phun
2008-12-10 01:21 --------- d-----w h:\program files\MSBuild
2008-12-03 02:38 --------- d-----w h:\documents and settings\nlfdjr\Application Data\dvdcss
2008-11-29 23:23 --------- d-----w h:\program files\VirtualDJ
2008-11-28 16:47 --------- d-----w h:\program files\Electronic Arts
2008-11-27 20:03 --------- d-----w h:\program files\DAEMON Tools Lite
2008-11-27 15:23 --------- d-----w h:\program files\De Blob
2008-11-27 00:51 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Sony
2008-11-27 00:49 --------- d-----w h:\program files\Sony
2008-11-27 00:45 --------- d-----w h:\program files\Sony Setup
2008-11-22 21:13 --------- d-----w h:\documents and settings\nlfdjr\Application Data\IMVU
2008-11-22 16:17 --------- d-----w h:\program files\Vidalia Bundle
2008-11-22 03:37 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Red Alert 3
2008-11-20 21:14 --------- d--h--r h:\documents and settings\nlfdjr\Application Data\SecuROM
2008-11-20 19:24 --------- d-----w h:\program files\VideoReDoPlus
2008-11-20 19:24 --------- d-----w h:\documents and settings\nlfdjr\Application Data\VideoReDoPlus
2008-11-20 18:56 31,504 ----a-w h:\windows\system32\drivers\cmdhlp.sys
2008-11-20 18:48 1,781 ----a-w h:\windows\system32\IEPM4JTX.DRV
2008-11-20 17:56 --------- dc-h--w h:\documents and settings\All Users\Application Data\{727691AA-C0CE-4AB4-8D16-F6558DFF5408}
2008-11-20 17:56 --------- d-----w h:\program files\ffdshow
2008-11-20 16:55 --------- d-----w h:\documents and settings\nlfdjr\Application Data\IMVUClient
2008-11-19 05:06 --------- d-----w h:\program files\Blackjack Unleashed
2008-11-18 00:32 22,328 ----a-w h:\windows\system32\drivers\PnkBstrK.sys
2008-11-18 00:32 103,736 ----a-w h:\windows\system32\PnkBstrB.exe
2008-11-17 22:18 --------- d-----w h:\program files\WMR11
2008-11-17 22:18 --------- d-----w h:\program files\WinPcap
2008-11-17 22:17 --------- d-----w h:\program files\Replay Media Catcher
2008-11-17 22:12 237,568 ----a-w h:\windows\system32\rmc_rtspdl.dll
2008-11-17 22:12 156,672 ----a-w h:\windows\system32\rmc_fixasf.exe
2008-11-17 22:11 323,584 ----a-w h:\windows\system32\AUDIOGENIE2.DLL
2008-11-16 23:06 --------- d---a-w h:\documents and settings\All Users\Application Data\TEMP
2008-11-16 05:43 --------- d-----w h:\program files\Audacity
2008-11-16 05:02 --------- d-----w h:\program files\Bethesda Softworks
2008-11-16 05:02 --------- d-----w h:\documents and settings\All Users\Application Data\Fallout3
2008-11-16 03:36 --------- d-----w h:\program files\DivX
2008-11-15 20:23 --------- d-----w h:\program files\Qtracker
2008-11-14 19:55 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Publish Providers
2008-11-14 19:55 --------- d-----w h:\documents and settings\nlfdjr\Application Data\DivX
2008-11-14 19:51 --------- d-----w h:\program files\Vstplugins
2008-11-14 19:51 --------- d-----w h:\documents and settings\All Users\Application Data\Sony
2008-11-13 21:17 --------- d-----w h:\program files\AliveMedia
2008-11-11 21:46 --------- d-----w h:\documents and settings\nlfdjr\Application Data\OpenOffice.org
2008-11-11 21:44 --------- d-----w h:\program files\OpenOffice.org 3
2008-11-11 19:07 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Xfire
2008-11-10 10:43 410,984 ----a-w h:\windows\system32\deploytk.dll
2008-11-10 01:30 --------- d-----w h:\program files\Xfire
2008-11-10 01:30 --------- d-----w h:\documents and settings\NetworkService\Application Data\Xfire
2008-11-09 22:39 --------- d-----w h:\program files\SystemRequirementsLab
2008-11-09 22:34 --------- d-----w h:\documents and settings\Administrator.NLFDPC\Application Data\Windows Search
2008-11-09 22:00 201,248 ----a-w h:\windows\system32\nfr_071.exe
2008-11-09 05:03 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Download Manager
2008-11-09 02:51 --------- d-----w h:\program files\GameSpy
2008-11-09 02:31 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Windows Search
2008-11-09 02:27 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Windows Desktop Search
2008-11-09 02:24 --------- d-----w h:\program files\Windows Desktop Search
2008-11-09 02:02 --------- d-----w h:\program files\GameSpy Arcade
2008-11-08 22:26 --------- d-----w h:\program files\Hacker Evolution
2008-11-08 09:23 66,872 ----a-w h:\windows\system32\PnkBstrA.exe
2008-11-08 09:16 22,328 ----a-w h:\documents and settings\nlfdjr\Application Data\PnkBstrK.sys
2008-11-08 09:06 --------- d-----w h:\program files\Activision
2008-11-08 03:06 --------- d-----w h:\documents and settings\nlfdjr\Application Data\Comodo
2008-11-08 02:59 --------- d-----w h:\documents and settings\All Users\Application Data\comodo
2008-11-07 22:34 --------- d-----w h:\program files\Mgboss
2008-11-07 22:29 --------- d-----w h:\program files\OneClickHideWindow
2008-11-07 20:01 --------- d-----w h:\documents and settings\nlfdjr\Application Data\vlc
2008-11-07 18:51 --------- d-----w h:\program files\Reference Assemblies
2008-11-07 18:14 --------- d-----w h:\program files\VideoLAN
2008-11-07 17:50 --------- d-----w h:\program files\Common Files\InstallShield
2008-11-07 16:21 361,344 ----a-w h:\windows\system32\drivers\tcpip.sys
2008-11-07 16:07 --------- d-----w h:\program files\uTorrent
2008-11-07 15:56 107,888 ----a-w h:\windows\system32\CmdLineExt.dll
2008-11-07 15:38 717,296 ----a-w h:\windows\system32\drivers\sptd.sys
2008-11-07 15:38 --------- d-----w h:\documents and settings\nlfdjr\Application Data\DAEMON Tools
2008-11-07 15:26 --------- d-----w h:\program files\Driver Magician
2008-11-07 15:24 --------- d-----w h:\program files\7-Zip
2008-11-07 03:05 --------- d-----w h:\program files\NeoSmart Technologies
2008-11-07 03:01 --------- d-----w h:\program files\Marvell
2008-11-07 02:56 --------- d-----w h:\program files\microsoft frontpage
2008-11-07 02:55 --------- d-----w h:\program files\Windows Media Connect 2
2008-10-30 01:25 42,320 ----a-w h:\windows\system32\xfcodec.dll
2008-10-27 15:04 70,992 ----a-w h:\windows\system32\XAPOFX1_2.dll
2008-10-27 15:04 514,384 ----a-w h:\windows\system32\XAudio2_3.dll
2008-10-27 15:04 235,856 ----a-w h:\windows\system32\xactengine3_3.dll
2008-10-27 15:04 23,376 ----a-w h:\windows\system32\X3DAudio1_5.dll
2008-10-24 11:21 455,296 ----a-w h:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w h:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w h:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w h:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w h:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w h:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w h:\windows\system32\cdm.dll
2007-11-30 23:26 62,989 --sh--r h:\windows\system32\lssa.exe
.

------- Sigcheck -------

2008-11-07 11:21 361344 25fa97dffd06153b735bfb7ad359bc65 h:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ h:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2007-11-30 15360]
"DAEMON Tools Lite"="h:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"COMODO Internet Security"="h:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-12-19 1797880]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"BOC-427"="h:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"nwiz"="nwiz.exe" [2008-08-01 h:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 h:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 h:\windows\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 h:\windows\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2007-12-29 h:\windows\system32\advpack.dll]

h:\documents and settings\nlfdjr\Start Menu\Programs\Startup\
hamachi.lnk - h:\program files\Hamachi\hamachi.exe [2008-11-22 625952]
OpenOffice.org 3.0.lnk - h:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "h:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= h:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"h:\\WINDOWS\\system32\\PnkBstrA.exe"=
"h:\\WINDOWS\\system32\\PnkBstrB.exe"=
"h:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"h:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"h:\\Program Files\\Opera\\opera.exe"=
"h:\\WINDOWS\\system32\\ftp.exe"=
"h:\\Program Files\\Xfire\\xfire.exe"=
"h:\\Program Files\\Qtracker\\qtracker.exe"=
"h:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\PacSteamT\\SteamApps\\800487\\GarrysMod\\hl2.exe"=
"c:\\PacSteamT\\SteamApps\\800487\\counter-strike source\\hl2.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"h:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 cmdGuard;COMODO Internet Security Sandbox Driver;h:\windows\system32\DRIVERS\cmdguard.sys [2008-11-07 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;h:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-07 31504]
R2 UltraMonUtility;UltraMon Utility Driver;\??\h:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-09-14 10496]
S2 BOCore;BOCore;h:\program files\Comodo\CBOClean\BOCORE.exe [2008-12-21 73464]
S2 IMGJTM;IMG Joystick-To-Mouse Service; []
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc []
S3 GBISUWIUCS;GBISUWIUCS;h:\docume~1\nlfdjr\LOCALS~1\Temp\GBISUWIUCS.exe []
S3 LB;LB;h:\docume~1\ADMINI~1.NLF\LOCALS~1\Temp\LB.exe []
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;h:\windows\system32\DRIVERS\libusb0.sys [2008-12-16 28672]
S3 NPF;NetGroup Packet Filter Driver;h:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 pspdisp;pspdisp;h:\windows\system32\DRIVERS\pspdisp.sys [2008-09-12 3328]
S3 W;W;h:\docume~1\ADMINI~1.NLF\LOCALS~1\Temp\W.exe []
S3 XBUBKMSE;XBUBKMSE;h:\docume~1\ADMINI~1.NLF\LOCALS~1\Temp\XBUBKMSE.exe []
S3 XVIKJXDJ;XVIKJXDJ;h:\docume~1\nlfdjr\LOCALS~1\Temp\XVIKJXDJ.exe []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

Notify-byXRlLEw - byXRlLEw.dll


.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://h:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://h:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://h:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://h:\program files\Free Download Manager\dllink.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - h:\documents and settings\nlfdjr\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - h:\documents and settings\nlfdjr\Start Menu\Programs\IMVU\Run IMVU.lnk -

h:\windows\Downloaded Program Files\sysreqlab_srl.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
h:\windows\Downloaded Program Files\sysreqlab.osd

h:\windows\Downloaded Program Files\SpywareScanner.ocx - O16 -: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
hxxp://www.process.com/spycatcher/SpywareScanner.ocx

h:\windows\Downloaded Program Files\Manager.exe - h:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
h:\windows\Downloaded Program Files\DownloadManagerV2.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 17:11:59
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxmqltoiqh.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
h:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1112)
h:\windows\system32\guard32.dll
.
Completion time: 2008-12-21 17:12:55
ComboFix-quarantined-files.txt 2008-12-21 22:12:51

Pre-Run: 31,356,919,808 bytes free
Post-Run: 31,728,295,936 bytes free

405 --- E O F --- 2008-12-21 08:00:20




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:47 PM, on 12/21/2008
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\Program Files\TortoiseSVN\bin\TSVNCache.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
H:\WINDOWS\sm56hlpr.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\Program Files\Hamachi\hamachi.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\Program Files\OpenOffice.org 3\program\soffice.exe
H:\Program Files\OpenOffice.org 3\program\soffice.bin
H:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\SearchIndexer.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Windows Desktop Search\WindowsSearch.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Opera\opera.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\notepad.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [COMODO Internet Security] "H:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-427] H:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: hamachi.lnk = H:\Program Files\Hamachi\hamachi.exe
O4 - Startup: OpenOffice.org 3.0.lnk = H:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://H:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\nlfdjr\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.process.com/spycatcher/SpywareScanner.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: H:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - H:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BOCore - COMODO - H:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - H:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GBISUWIUCS - Unknown owner - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\GBISUWIUCS.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LB - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\LB.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - H:\Program Files\WinPcap\rpcapd.exe
O23 - Service: W - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\W.exe (file missing)
O23 - Service: XBUBKMSE - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\XBUBKMSE.exe (file missing)
O23 - Service: XVIKJXDJ - Unknown owner - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\XVIKJXDJ.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 8479 bytes

Attached Files

  • Attached File  log.txt   38.25KB   0 downloads


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:54 PM

Posted 21 December 2008 - 05:23 PM

Hello,

Thank you. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: GBISUWIUCS - Unknown owner - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\GBISUWIUCS.exe (file missing)
O23 - Service: LB - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\LB.exe (file missing)
O23 - Service: W - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\W.exe (file missing)
O23 - Service: XBUBKMSE - Unknown owner - H:\DOCUME~1\ADMINI~1.NLF\LOCALS~1\Temp\XBUBKMSE.exe (file missing)
O23 - Service: XVIKJXDJ - Unknown owner - H:\DOCUME~1\nlfdjr\LOCALS~1\Temp\XVIKJXDJ.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

How is it running now? Have the redirects stopped?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 nlfdjr

nlfdjr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 22 December 2008 - 05:01 PM

Everything is good now. Thank you very much. Penor enlargment ads everywhere can become annoying. I thank you again. keep up the good work.
Posted Image

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:54 PM

Posted 22 December 2008 - 05:11 PM

Awww.......thank you. :)

You're most welcome. Please do one more thing for me though : Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Have you run another scan with MBAM If it came up clean, then all right. :thumbsup:


If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running at least one of the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:54 PM

Posted 27 December 2008 - 06:13 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users