Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PopUps Strikes Again!


  • This topic is locked This topic is locked
11 replies to this topic

#1 dog54321

dog54321

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 30 December 2008 - 04:31 AM

Hi this is my second time at bleepingcomputer.com, i have recently got a pop-up virus and solved it at this thread http://www.bleepingcomputer.com/forums/t/177622/popups-slow-internet/. But now its come back. Here is a HiJackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:09 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\1\Desktop\Khoi Folder\Fixing Virus\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [book knob dvd plus] C:\Documents and Settings\All Users\Application Data\keep build book knob\intra setup.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?9caf2552e25d4e5e922457707c766ed8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?9caf2552e25d4e5e922457707c766ed8
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.facebook.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 12568 bytes

BC AdBot (Login to Remove)

 


#2 dog54321

dog54321
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 02 January 2009 - 05:45 PM

Edit: I used CA ANtiVirus Spyware Scanner to get rid of it but i have this Virus when i do my spyware scan called Trojan Swizzor, can you guys detect it in this HiJackThis Log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:42 AM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\windows\hffext\hffsrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
G:\MapleStory\npkcmsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Warcraft III\VisualCustomKick.exe
C:\Program Files\Warcraft III\StealthBot v2.6R3.exe
C:\Documents and Settings\1\Desktop\Khoi Folder\Fixing Virus\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [book knob dvd plus] C:\Documents and Settings\All Users\Application Data\keep build book knob\intra setup.exe
O4 - HKLM\..\Run: [HFFSRV] c:\windows\hffext\hffsrv.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?9caf2552e25d4e5e922457707c766ed8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?9caf2552e25d4e5e922457707c766ed8
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.facebook.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - G:\MapleStory\npkcmsvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 12662 bytes

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 PM

Posted 04 January 2009 - 11:32 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Lop S&D
You can find a detailed instructions with visuals here:
http://eric.71.mespages.googlepages.com/lop.sd.en
  • Disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please download Lop S&D by Eric_71 to your desktop, if you have not already or you lost your copy.
  • Double click LopSD.exe to run it. If you are using Windows Vista, right-click on LopSD.exe icon and select Run as administrator.
  • Choose the language by typing of the corresponding letter and pressing Enter.
  • Click OK at the prompt.
  • At this point, close all windows.
  • Type 1 followed by Enter to selection option "1 - Search".
  • When the scan is finished, a report (C:\lopR.txt) will be generated, post the contents of it in your next reply.

In your next reply include:
-the ComboFix log
-the Lop S&D log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#4 dog54321

dog54321
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 04 January 2009 - 10:17 PM

Hi PP, i attempted to disable everything in CA Antivirus but it didn't work it says CA is still running and it can run but there is a risk of it having errors or something like that, hlep please?

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 PM

Posted 05 January 2009 - 11:39 AM

Hello.

Go ahead without disabling it then. Usually isn't a big problem.

With Regards,
The Panda

#6 dog54321

dog54321
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 06 January 2009 - 03:21 AM

~~~ ComboFix Log ~~~
ComboFix 09-01-05.05 - 1 2009-01-06 18:26:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.482 [GMT 10.5:30]
Running from: c:\documents and settings\1\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: CA Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 12:11 . 2009-01-05 12:11 <DIR> d-------- c:\program files\directx
2009-01-05 12:03 . 2009-01-05 12:03 <DIR> d-------- c:\program files\Eidos Interactive
2009-01-03 17:10 . 2009-01-03 18:12 <DIR> d-------- c:\program files\LimeWire
2009-01-01 12:01 . 2009-01-01 12:01 <DIR> d-------- c:\program files\Lock Folder XP 3.6
2009-01-01 10:59 . 2009-01-01 10:59 <DIR> d-------- c:\program files\Hide Folders XP 2
2009-01-01 10:59 . 2007-01-23 01:26 17,264 --a------ c:\windows\system32\drivers\hfxp2.sys
2008-12-31 23:18 . 2008-12-31 23:18 <DIR> d--h----- c:\windows\hffext
2008-12-31 23:18 . 2008-12-31 23:18 <DIR> d-------- c:\program files\Hide Files and Folders
2008-12-31 23:18 . 2008-01-15 16:09 47,470 --a------ c:\windows\system32\drivers\FDCENT.SYS
2008-12-30 17:42 . 2008-12-30 17:42 <DIR> d-------- c:\program files\Flap Dart Dale
2008-12-30 17:42 . 2008-12-30 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\keep build book knob
2008-12-15 18:00 . 2008-12-15 18:02 <DIR> d-------- c:\program files\Folder Password Expert
2008-12-06 16:45 . 2008-12-06 16:45 2,117,632 --a------ c:\windows\system32\python25.dll
2008-12-06 16:45 . 2008-09-17 02:56 1,332,197 --a------ c:\windows\system32\pythondll.zip
2008-12-06 16:45 . 2008-12-06 16:45 339,968 --a------ c:\windows\system32\pythoncom25.dll
2008-12-06 16:45 . 2008-12-06 16:45 114,688 --a------ c:\windows\system32\pywintypes25.dll
2008-12-06 16:44 . 2008-12-06 16:45 <DIR> d-------- c:\program files\AGI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 07:33 --------- d-----w c:\program files\Warcraft III
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-01-05 13:38 294,970 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-01-04 10:42 --------- d-----w c:\documents and settings\1\Application Data\LimeWire
2009-01-04 04:51 --------- d-----w c:\program files\Garena
2009-01-01 01:31 --------- d-----w c:\program files\Everstrike Software
2008-12-15 11:05 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-09 21:02 --------- d-----w c:\documents and settings\trinh\Application Data\LimeWire
2008-12-09 03:28 --------- d-----w c:\program files\StealthBot
2008-12-03 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-03 09:13 --------- d-----w c:\documents and settings\1\Application Data\AVS4YOU
2008-12-03 09:12 --------- d-----w c:\program files\Common Files\AVSMedia
2008-12-03 09:12 --------- d-----w c:\program files\AVS4YOU
2008-11-23 00:48 --------- d-----w c:\program files\Common Files\Everstrike Software
2008-11-22 02:48 --------- d-----w c:\program files\WinMX
2008-11-16 07:16 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-16 07:16 --------- d-----w c:\program files\Java
2008-11-15 01:23 --------- d-----w c:\program files\Google
2008-11-14 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2008-11-14 10:15 --------- d-----w c:\program files\Pando Networks
2008-11-13 07:21 --------- d-----w c:\program files\Bonjour
2008-11-13 05:22 --------- d-----w c:\program files\EsetOnlineScanner
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 03:43 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:43 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:42 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:42 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:39 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:39 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:39 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:38 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:36 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:36 208,744 ----a-w c:\windows\system32\muweb.dll
2008-12-22 04:05 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 04:05 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 04:05 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 04:05 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 04:05 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-07-24 22:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072520080726\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-11-07 230928]
"Desktop Service Centre"="c:\program files\OptusNet DSL Internet\DSC.exe" [2005-11-30 2919831]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-01-31 385024]
"book knob dvd plus"="c:\documents and settings\All Users\Application Data\keep build book knob\intra setup.exe" [2008-12-30 806912]
"HFFSRV"="c:\windows\hffext\hffsrv.exe" [2008-01-15 84480]
"LFAgent"="c:\program files\Lock Folder XP 3.6\LF30.exe" [2005-09-24 566272]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-01 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 2297856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
--a------ 2007-12-17 12:12 243240 c:\program files\Windows Live\Family Safety\fssui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 13:36 229376 c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xfourkingsx\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11448:TCP"= 11448:TCP:BitComet 11448 TCP
"11448:UDP"= 11448:UDP:BitComet 11448 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57567:TCP"= 57567:TCP:Pando Media Booster
"57567:UDP"= 57567:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [2009-01-01 17264]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-06-24 93712]
R1 FDCENT;FDCENT;c:\windows\system32\drivers\FDCENT.SYS [2008-12-31 47470]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-06-24 115216]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-03-12 189704]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-03-27 167808]
R4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-09-14 43816]
R4 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816]
R4 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-06-24 134648]
R4 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-06-24 66576]
R4 LF30FS;LF30FS;c:\program files\Lock Folder XP 3.6\LF30XP.sys [2004-11-19 101488]
R4 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R4 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R4 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\1\LOCALS~1\Temp\ARQE8.tmp --> c:\docume~1\1\LOCALS~1\Temp\ARQE8.tmp [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-15 33752]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-08-03 32512]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-09-19 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-09-19 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-09-19 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-09-19 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-09-19 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-09-19 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-09-19 90800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bc92e02-9b1f-11dc-9c92-0018d107cef6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\A93B43C19184FC4D.job
- c:\docume~1\vivian\applic~1\flapda~1\rule part body.exe []

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-03 c:\windows\Tasks\CAAntiSpywareScan_Daily as 1 at 7 25 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-11-07 13:53]

2009-01-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?9caf2552e25d4e5e922457707c766ed8
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?9caf2552e25d4e5e922457707c766ed8
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: www.facebook.com

c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDC5.OSD

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}
hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
c:\windows\Downloaded Program Files\GoPetsWeb.inf
FF - ProfilePath - c:\documents and settings\1\Application Data\Mozilla\Firefox\Profiles\hsco69ky.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 18:31:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\1\LOCALS~1\Temp\ARQE8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-1078145449-2147034123-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8D71D41A-E623-D591-21D9-1C62854769C0}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abpkfmanhlkkacgabmjacfhiidbgfgbeip"=hex:61,61,00,00
"bbpkfmanhlkkacgabmiacmcaglebnhemmnie"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-01-06 18:34:03
ComboFix-quarantined-files.txt 2009-01-06 08:04:00

Pre-Run: 143,826,378,752 bytes free
Post-Run: 143,920,992,256 bytes free

287 --- E O F --- 2009-01-06 06:36:51
~~~ ComboFix Log~~~
--- HiJackThis Log ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:36 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\windows\hffext\hffsrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Warcraft III\StealthBot v2.6R3.exe
C:\Program Files\Warcraft III\WindowTools.exe
C:\Documents and Settings\1\Desktop\Khoi Folder\Fixing Virus\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [book knob dvd plus] C:\Documents and Settings\All Users\Application Data\keep build book knob\intra setup.exe
O4 - HKLM\..\Run: [HFFSRV] c:\windows\hffext\hffsrv.exe
O4 - HKLM\..\Run: [LFAgent] C:\Program Files\Lock Folder XP 3.6\LF30.exe -start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?9caf2552e25d4e5e922457707c766ed8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?9caf2552e25d4e5e922457707c766ed8
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.facebook.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - Unknown owner - G:\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 12420 bytes
--- HiJackThis Log---
...Lopr Log...

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Genuine Intel® CPU 2140 @ 1.60GHz )
BIOS : BIOS Date: 11/30/06 16:05:16 Ver: 08.00.10
USER : 1 ( Administrator )
BOOT : Normal boot
Antivirus : CA Anti-Virus 8.4.0.16 (Activated)
Firewall : CA Personal Firewall 9.1.0.38 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:232 Go (Free:134 Go)
D:\ (CD or DVD)
E:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Tue 01/06/2009|18:41 )

--------------------\\ Listing folders in APPLIC~1

[07/16/2008|02:27] C:\DOCUME~1\1\APPLIC~1\<DIR> Adobe
[10/07/2007|02:00] C:\DOCUME~1\1\APPLIC~1\<DIR> Ahead
[08/30/2007|11:10] C:\DOCUME~1\1\APPLIC~1\<DIR> Apple Computer
[12/03/2008|07:43] C:\DOCUME~1\1\APPLIC~1\<DIR> AVS4YOU
[02/14/2008|09:53] C:\DOCUME~1\1\APPLIC~1\<DIR> DataCast
[11/18/2007|07:23] C:\DOCUME~1\1\APPLIC~1\<DIR> DivX
[03/27/2008|08:17] C:\DOCUME~1\1\APPLIC~1\<DIR> Download Manager
[04/27/2008|04:47] C:\DOCUME~1\1\APPLIC~1\<DIR> dvdcss
[11/15/2008|11:53] C:\DOCUME~1\1\APPLIC~1\<DIR> Google
[07/01/2008|08:40] C:\DOCUME~1\1\APPLIC~1\<DIR> gtk-2.0
[09/02/2007|01:31] C:\DOCUME~1\1\APPLIC~1\<DIR> Help
[08/30/2007|04:31] C:\DOCUME~1\1\APPLIC~1\<DIR> Identities
[02/14/2008|09:33] C:\DOCUME~1\1\APPLIC~1\<DIR> InstallShield
[11/06/2007|09:12] C:\DOCUME~1\1\APPLIC~1\<DIR> Lavasoft
[01/04/2009|09:12] C:\DOCUME~1\1\APPLIC~1\<DIR> LimeWire
[06/23/2008|09:29] C:\DOCUME~1\1\APPLIC~1\<DIR> Macromedia
[07/20/2008|10:24] C:\DOCUME~1\1\APPLIC~1\<DIR> Malwarebytes
[02/02/2008|12:45] C:\DOCUME~1\1\APPLIC~1\<DIR> Media Player Classic
[09/20/2008|05:04] C:\DOCUME~1\1\APPLIC~1\<DIR> Microsoft
[01/11/2008|07:12] C:\DOCUME~1\1\APPLIC~1\<DIR> Mozilla
[09/02/2007|08:08] C:\DOCUME~1\1\APPLIC~1\<DIR> MSNInstaller
[09/10/2007|08:24] C:\DOCUME~1\1\APPLIC~1\<DIR> Nexon
[08/09/2008|05:41] C:\DOCUME~1\1\APPLIC~1\<DIR> Nokia Multimedia Player
[09/14/2007|04:40] C:\DOCUME~1\1\APPLIC~1\<DIR> PC Suite
[11/25/2007|09:21] C:\DOCUME~1\1\APPLIC~1\<DIR> Printer Info Cache
[01/11/2008|07:12] C:\DOCUME~1\1\APPLIC~1\<DIR> Real
[07/26/2008|11:42] C:\DOCUME~1\1\APPLIC~1\<DIR> RSG
[09/19/2007|06:49] C:\DOCUME~1\1\APPLIC~1\<DIR> Sony Ericsson
[10/04/2007|04:30] C:\DOCUME~1\1\APPLIC~1\<DIR> Sun
[11/07/2007|03:30] C:\DOCUME~1\1\APPLIC~1\<DIR> SUPERAntiSpyware.com
[01/11/2008|07:14] C:\DOCUME~1\1\APPLIC~1\<DIR> Talkback
[09/19/2007|06:49] C:\DOCUME~1\1\APPLIC~1\<DIR> Teleca
[09/21/2008|01:09] C:\DOCUME~1\1\APPLIC~1\<DIR> U3
[07/25/2008|10:51] C:\DOCUME~1\1\APPLIC~1\<DIR> Ventrilo
[08/31/2007|06:27] C:\DOCUME~1\1\APPLIC~1\<DIR> vlc
[03/10/2008|09:49] C:\DOCUME~1\1\APPLIC~1\<DIR> WinRAR

[04/14/2008|10:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[10/15/2008|10:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[09/27/2007|09:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Ahead
[01/27/2008|11:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[01/27/2008|11:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[04/14/2008|11:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avg7
[12/03/2008|07:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AVS4YOU
[06/14/2008|03:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CA
[09/14/2008|04:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Downloaded Installations
[07/16/2008|02:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[09/09/2008|05:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[12/30/2008|05:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> keep build book knob
[03/28/2008|08:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> kfoxwngp
[08/31/2007|05:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> LightScribe
[07/20/2008|10:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[09/14/2008|06:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[04/25/2008|01:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Messenger Plus!
[03/04/2008|08:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[01/11/2008|07:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Mozilla
[08/30/2007|05:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Nero
[07/11/2008|02:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NexonUS
[10/15/2008|10:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NOS
[09/14/2007|04:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PC Suite
[03/27/2008|08:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> pI3demoLicense
[11/14/2008|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PMB Files
[08/30/2007|04:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Real
[09/19/2007|06:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sony Ericsson
[09/12/2008|07:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[11/06/2007|02:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com
[11/07/2007|03:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[09/19/2007|06:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Teleca
[04/01/2008|03:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[02/16/2008|12:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[08/30/2007|07:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Live Toolbar
[12/15/2008|09:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller
[03/27/2008|08:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> wondertouch
[09/09/2007|01:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!

[04/14/2008|09:32] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[04/14/2008|10:59] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[04/14/2008|10:59] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[11/07/2008|06:15] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Adobe
[09/27/2007|09:56] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Ahead
[08/31/2007|10:13] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Apple Computer
[09/28/2007|10:45] C:\DOCUME~1\trinh\APPLIC~1\<DIR> DivX
[09/03/2007|02:03] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Google
[11/21/2007|06:24] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Help
[08/31/2007|08:48] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Identities
[12/10/2008|07:32] C:\DOCUME~1\trinh\APPLIC~1\<DIR> LimeWire
[08/31/2007|10:05] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Macromedia
[09/08/2008|09:03] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Malwarebytes
[09/28/2007|11:10] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Media Player Classic
[05/19/2008|06:05] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Microsoft
[01/25/2008|04:37] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Mozilla
[09/09/2007|12:40] C:\DOCUME~1\trinh\APPLIC~1\<DIR> MSNInstaller
[11/30/2007|06:13] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Nexon
[09/15/2007|09:55] C:\DOCUME~1\trinh\APPLIC~1\<DIR> PC Suite
[01/25/2008|04:43] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Real
[09/20/2007|10:03] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Sony Ericsson
[09/20/2007|03:44] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Sun
[01/25/2008|04:37] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Talkback
[09/20/2007|10:03] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Teleca
[09/05/2007|02:22] C:\DOCUME~1\trinh\APPLIC~1\<DIR> vlc
[05/19/2008|06:05] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Windows Live Writer
[03/19/2008|07:47] C:\DOCUME~1\trinh\APPLIC~1\<DIR> WinRAR
[09/09/2007|01:02] C:\DOCUME~1\trinh\APPLIC~1\<DIR> Yahoo!


--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[01/06/2009 06:00 PM][--ah-----] C:\WINDOWS\tasks\A93B43C19184FC4D.job
[01/03/2009 07:25 PM][--a------] C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as 1 at 7 25 PM.job
[12/31/2008 03:50 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[01/06/2009 05:29 PM][--a------] C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[01/06/2009 06:34 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[02/28/2006 10:30 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

( A93B43C19184FC4D.job )=( c:\docume~1\vivian\applic~1\flapda~1\rulepartbody.exe )

--------------------\\ Listing Folders in C:\Program Files

[10/15/2008|10:19] C:\Program Files\<DIR> Adobe
[12/06/2008|04:45] C:\Program Files\<DIR> AGI
[01/27/2008|11:44] C:\Program Files\<DIR> Apple Software Update
[12/03/2008|07:42] C:\Program Files\<DIR> AVS4YOU
[01/11/2008|09:56] C:\Program Files\<DIR> BitComet
[11/13/2008|05:51] C:\Program Files\<DIR> Bonjour
[11/07/2007|01:50] C:\Program Files\<DIR> CA
[01/06/2009|06:29] C:\Program Files\<DIR> Common Files
[08/30/2007|04:23] C:\Program Files\<DIR> ComPlus Applications
[09/14/2007|04:29] C:\Program Files\<DIR> DIFX
[01/05/2009|12:11] C:\Program Files\<DIR> directx
[01/05/2009|12:03] C:\Program Files\<DIR> Eidos Interactive
[11/13/2008|03:52] C:\Program Files\<DIR> EsetOnlineScanner
[01/01/2009|12:01] C:\Program Files\<DIR> Everstrike Software
[12/30/2008|05:42] C:\Program Files\<DIR> Flap Dart Dale
[12/15/2008|06:02] C:\Program Files\<DIR> Folder Password Expert
[01/04/2009|03:21] C:\Program Files\<DIR> Garena
[11/15/2008|11:53] C:\Program Files\<DIR> Google
[01/21/2008|08:34] C:\Program Files\<DIR> Growler Guncam
[12/31/2008|11:18] C:\Program Files\<DIR> Hide Files and Folders
[01/01/2009|10:59] C:\Program Files\<DIR> Hide Folders XP 2
[09/19/2008|05:12] C:\Program Files\<DIR> InstallShield Installation Information
[12/13/2008|08:34] C:\Program Files\<DIR> Internet Explorer
[02/26/2008|10:28] C:\Program Files\<DIR> iPod
[02/26/2008|10:30] C:\Program Files\<DIR> iTunes
[11/16/2008|05:46] C:\Program Files\<DIR> Java
[08/30/2007|04:45] C:\Program Files\<DIR> K-Lite Codec Pack
[02/14/2008|09:51] C:\Program Files\<DIR> Lame MP3 Codec
[02/15/2008|11:46] C:\Program Files\<DIR> LG Electronics
[02/15/2008|11:45] C:\Program Files\<DIR> LGGSM
[01/03/2009|06:12] C:\Program Files\<DIR> LimeWire
[01/01/2009|12:01] C:\Program Files\<DIR> Lock Folder XP 3.6
[02/14/2008|09:50] C:\Program Files\<DIR> MarkAny
[08/16/2008|11:23] C:\Program Files\<DIR> Messenger
[09/22/2008|12:13] C:\Program Files\<DIR> Messenger Plus! Live
[08/30/2007|04:34] C:\Program Files\<DIR> Microsoft ActiveSync
[01/13/2008|07:36] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2
[08/30/2007|04:26] C:\Program Files\<DIR> microsoft frontpage
[08/30/2007|04:34] C:\Program Files\<DIR> Microsoft Office
[03/04/2008|08:35] C:\Program Files\<DIR> Microsoft SQL Server Compact Edition
[08/30/2007|04:34] C:\Program Files\<DIR> Microsoft Visual Studio
[06/25/2008|08:23] C:\Program Files\<DIR> Microsoft Windows OneCare Live
[08/30/2007|04:34] C:\Program Files\<DIR> Microsoft Works
[08/30/2007|04:35] C:\Program Files\<DIR> Microsoft.NET
[07/25/2008|08:44] C:\Program Files\<DIR> Movie Maker
[01/06/2009|06:10] C:\Program Files\<DIR> Mozilla Firefox
[08/31/2007|07:49] C:\Program Files\<DIR> MSN
[08/30/2007|04:23] C:\Program Files\<DIR> MSN Gaming Zone
[09/20/2007|11:20] C:\Program Files\<DIR> MSXML 4.0
[08/30/2007|05:02] C:\Program Files\<DIR> Nero
[01/09/2008|03:41] C:\Program Files\<DIR> NETGEAR
[12/07/2008|09:34] C:\Program Files\<DIR> NetMeeting
[09/14/2007|04:28] C:\Program Files\<DIR> Nokia
[10/15/2008|10:09] C:\Program Files\<DIR> NOS
[08/30/2007|04:23] C:\Program Files\<DIR> Online Services
[08/30/2007|07:35] C:\Program Files\<DIR> OptusNet DSL Internet
[07/25/2008|08:38] C:\Program Files\<DIR> Outlook Express
[11/14/2008|08:45] C:\Program Files\<DIR> Pando Networks
[01/11/2008|07:10] C:\Program Files\<DIR> Real
[08/30/2007|04:45] C:\Program Files\<DIR> Realtek
[02/14/2008|09:50] C:\Program Files\<DIR> Samsung
[08/30/2007|07:35] C:\Program Files\<DIR> Siemens Subscriber Networks
[09/02/2008|07:45] C:\Program Files\<DIR> Smart PC Solutions
[04/15/2008|10:29] C:\Program Files\<DIR> softnyx
[09/19/2007|06:45] C:\Program Files\<DIR> Sony Ericsson
[12/09/2008|01:58] C:\Program Files\<DIR> StealthBot
[09/19/2008|09:06] C:\Program Files\<DIR> Steam
[09/08/2007|02:47] C:\Program Files\<DIR> Techland
[08/30/2007|04:31] C:\Program Files\<DIR> Uninstall Information
[10/24/2007|07:22] C:\Program Files\<DIR> VideoLAN
[01/06/2009|06:37] C:\Program Files\<DIR> Warcraft III
[08/28/2008|10:45] C:\Program Files\<DIR> WC3Banlist
[09/14/2008|12:31] C:\Program Files\<DIR> Windows Live
[01/13/2008|01:28] C:\Program Files\<DIR> Windows Live Favorites
[09/04/2008|09:03] C:\Program Files\<DIR> Windows Live Safety Center
[01/13/2008|07:34] C:\Program Files\<DIR> Windows Live Toolbar
[02/14/2008|04:05] C:\Program Files\<DIR> Windows Media Connect 2
[07/25/2008|08:39] C:\Program Files\<DIR> Windows Media Player
[07/25/2008|08:38] C:\Program Files\<DIR> Windows NT
[08/30/2007|04:25] C:\Program Files\<DIR> WindowsUpdate
[11/22/2008|01:18] C:\Program Files\<DIR> WinMX
[08/08/2008|07:37] C:\Program Files\<DIR> WinPcap
[06/26/2008|07:02] C:\Program Files\<DIR> WinRAR
[08/30/2007|04:26] C:\Program Files\<DIR> xerox
[02/14/2008|09:51] C:\Program Files\<DIR> XviD
[01/21/2008|08:27] C:\Program Files\<DIR> ZD Soft

--------------------\\ Listing Folders in C:\Program Files\Common Files

[10/15/2008|10:19] C:\Program Files\Common Files\<DIR> Adobe
[07/16/2008|01:19] C:\Program Files\Common Files\<DIR> Adobe AIR
[08/30/2007|05:03] C:\Program Files\Common Files\<DIR> Ahead
[01/27/2008|11:43] C:\Program Files\Common Files\<DIR> Apple
[12/03/2008|07:42] C:\Program Files\Common Files\<DIR> AVSMedia
[08/30/2007|04:34] C:\Program Files\Common Files\<DIR> DESIGNER
[07/20/2008|10:21] C:\Program Files\Common Files\<DIR> Download Manager
[11/23/2008|11:18] C:\Program Files\Common Files\<DIR> Everstrike Software
[01/21/2008|08:32] C:\Program Files\Common Files\<DIR> GC Install
[02/05/2008|06:46] C:\Program Files\Common Files\<DIR> INCA Shared
[02/15/2008|11:44] C:\Program Files\Common Files\<DIR> InstallShield
[08/30/2007|04:35] C:\Program Files\Common Files\<DIR> L&H
[08/30/2007|05:06] C:\Program Files\Common Files\<DIR> LightScribe
[07/16/2008|01:52] C:\Program Files\Common Files\<DIR> Macrovision Shared
[12/03/2008|07:41] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/30/2007|04:24] C:\Program Files\Common Files\<DIR> MSSoap
[09/14/2007|04:28] C:\Program Files\Common Files\<DIR> Nokia
[08/31/2007|01:47] C:\Program Files\Common Files\<DIR> ODBC
[09/14/2007|04:28] C:\Program Files\Common Files\<DIR> PCSuite
[01/11/2008|07:11] C:\Program Files\Common Files\<DIR> Real
[11/07/2007|03:33] C:\Program Files\Common Files\<DIR> Scanner
[08/30/2007|04:24] C:\Program Files\Common Files\<DIR> Services
[08/31/2007|01:47] C:\Program Files\Common Files\<DIR> SpeechEngines
[11/07/2007|03:33] C:\Program Files\Common Files\<DIR> Symantec Shared
[07/25/2008|08:38] C:\Program Files\Common Files\<DIR> System
[09/19/2007|06:46] C:\Program Files\Common Files\<DIR> Teleca Shared
[01/13/2008|01:16] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller
[01/11/2008|07:11] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 57 Processes )

iexplore.exe ~ [PID:3172]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\Program Files\flapda~1
C:\WINDOWS\Tasks\A93B43C19184FC4D.job

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 18:45:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 10

--------------------\\ Searching for other infections


No other infections found !

[F:14][D:3]-> C:\DOCUME~1\1\LOCALS~1\Temp
[F:33][D:0]-> C:\DOCUME~1\1\Cookies
[F:373][D:4]-> C:\DOCUME~1\1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Tue 01/06/2009|18:47 - Option : [1]

--------------------\\ Scan completed at 18:47:45
...Lopr Log...

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 PM

Posted 06 January 2009 - 11:55 AM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    C:\WINDOWS\Tasks\A93B43C19184FC4D.job
    
    Folder::
    c:\docume~1\vivian\applic~1\flapda~1
    c:\documents and settings\All Users\Application Data\keep build book knob
    c:\program files\Flap Dart Dale
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "book knob dvd plus"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the ComboFix log
-the F-Secure scan log

Popups gone?

With Regards,
The Panda

#8 dog54321

dog54321
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 January 2009 - 01:29 AM

Scanning Report
Thursday, January 08, 2009 15:56:58 - 16:57:37
Computer name: 1-8927C7F107494
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 3 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atdmt (spyware)
System
Trojan:W32/VB.BLD (virus)
C:\PROGRAM FILES\STEALTHBOT\STEALTHBOT V2.6R3.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 46362
System: 4883
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\FDCENT.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\SWG-3.1.807.1746\SEARCHWITHGOOGLEUPDATE.EXE

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-08
F-Secure AVP: 7.0.171, 2009-01-08
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

ComboFix 09-01-05.05 - 1 2009-01-06 18:26:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.482 [GMT 10.5:30]
Running from: c:\documents and settings\1\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: CA Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 12:11 . 2009-01-05 12:11 <DIR> d-------- c:\program files\directx
2009-01-05 12:03 . 2009-01-05 12:03 <DIR> d-------- c:\program files\Eidos Interactive
2009-01-03 17:10 . 2009-01-03 18:12 <DIR> d-------- c:\program files\LimeWire
2009-01-01 12:01 . 2009-01-01 12:01 <DIR> d-------- c:\program files\Lock Folder XP 3.6
2009-01-01 10:59 . 2009-01-01 10:59 <DIR> d-------- c:\program files\Hide Folders XP 2
2009-01-01 10:59 . 2007-01-23 01:26 17,264 --a------ c:\windows\system32\drivers\hfxp2.sys
2008-12-31 23:18 . 2008-12-31 23:18 <DIR> d--h----- c:\windows\hffext
2008-12-31 23:18 . 2008-12-31 23:18 <DIR> d-------- c:\program files\Hide Files and Folders
2008-12-31 23:18 . 2008-01-15 16:09 47,470 --a------ c:\windows\system32\drivers\FDCENT.SYS
2008-12-30 17:42 . 2008-12-30 17:42 <DIR> d-------- c:\program files\Flap Dart Dale
2008-12-30 17:42 . 2008-12-30 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\keep build book knob
2008-12-15 18:00 . 2008-12-15 18:02 <DIR> d-------- c:\program files\Folder Password Expert
2008-12-06 16:45 . 2008-12-06 16:45 2,117,632 --a------ c:\windows\system32\python25.dll
2008-12-06 16:45 . 2008-09-17 02:56 1,332,197 --a------ c:\windows\system32\pythondll.zip
2008-12-06 16:45 . 2008-12-06 16:45 339,968 --a------ c:\windows\system32\pythoncom25.dll
2008-12-06 16:45 . 2008-12-06 16:45 114,688 --a------ c:\windows\system32\pywintypes25.dll
2008-12-06 16:44 . 2008-12-06 16:45 <DIR> d-------- c:\program files\AGI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 07:33 --------- d-----w c:\program files\Warcraft III
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-01-05 13:38 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-01-05 13:38 294,970 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-01-04 10:42 --------- d-----w c:\documents and settings\1\Application Data\LimeWire
2009-01-04 04:51 --------- d-----w c:\program files\Garena
2009-01-01 01:31 --------- d-----w c:\program files\Everstrike Software
2008-12-15 11:05 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-09 21:02 --------- d-----w c:\documents and settings\trinh\Application Data\LimeWire
2008-12-09 03:28 --------- d-----w c:\program files\StealthBot
2008-12-03 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-03 09:13 --------- d-----w c:\documents and settings\1\Application Data\AVS4YOU
2008-12-03 09:12 --------- d-----w c:\program files\Common Files\AVSMedia
2008-12-03 09:12 --------- d-----w c:\program files\AVS4YOU
2008-11-23 00:48 --------- d-----w c:\program files\Common Files\Everstrike Software
2008-11-22 02:48 --------- d-----w c:\program files\WinMX
2008-11-16 07:16 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-16 07:16 --------- d-----w c:\program files\Java
2008-11-15 01:23 --------- d-----w c:\program files\Google
2008-11-14 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2008-11-14 10:15 --------- d-----w c:\program files\Pando Networks
2008-11-13 07:21 --------- d-----w c:\program files\Bonjour
2008-11-13 05:22 --------- d-----w c:\program files\EsetOnlineScanner
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 03:43 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:43 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:42 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:42 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:39 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:39 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:39 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:38 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:36 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:36 208,744 ----a-w c:\windows\system32\muweb.dll
2008-12-22 04:05 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 04:05 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 04:05 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 04:05 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 04:05 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-07-24 22:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072520080726\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-11-07 230928]
"Desktop Service Centre"="c:\program files\OptusNet DSL Internet\DSC.exe" [2005-11-30 2919831]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-01-31 385024]
"book knob dvd plus"="c:\documents and settings\All Users\Application Data\keep build book knob\intra setup.exe" [2008-12-30 806912]
"HFFSRV"="c:\windows\hffext\hffsrv.exe" [2008-01-15 84480]
"LFAgent"="c:\program files\Lock Folder XP 3.6\LF30.exe" [2005-09-24 566272]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-01 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 2297856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
--a------ 2007-12-17 12:12 243240 c:\program files\Windows Live\Family Safety\fssui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 13:36 229376 c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xfourkingsx\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11448:TCP"= 11448:TCP:BitComet 11448 TCP
"11448:UDP"= 11448:UDP:BitComet 11448 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57567:TCP"= 57567:TCP:Pando Media Booster
"57567:UDP"= 57567:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [2009-01-01 17264]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-06-24 93712]
R1 FDCENT;FDCENT;c:\windows\system32\drivers\FDCENT.SYS [2008-12-31 47470]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-06-24 115216]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-03-12 189704]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-03-27 167808]
R4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-09-14 43816]
R4 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816]
R4 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-06-24 134648]
R4 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-06-24 66576]
R4 LF30FS;LF30FS;c:\program files\Lock Folder XP 3.6\LF30XP.sys [2004-11-19 101488]
R4 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R4 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R4 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\1\LOCALS~1\Temp\ARQE8.tmp --> c:\docume~1\1\LOCALS~1\Temp\ARQE8.tmp [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-15 33752]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-08-03 32512]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-09-19 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-09-19 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-09-19 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-09-19 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-09-19 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-09-19 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-09-19 90800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bc92e02-9b1f-11dc-9c92-0018d107cef6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\A93B43C19184FC4D.job
- c:\docume~1\vivian\applic~1\flapda~1\rule part body.exe []

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-03 c:\windows\Tasks\CAAntiSpywareScan_Daily as 1 at 7 25 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-11-07 13:53]

2009-01-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?9caf2552e25d4e5e922457707c766ed8
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?9caf2552e25d4e5e922457707c766ed8
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: www.facebook.com

c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDC5.OSD

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}
hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
c:\windows\Downloaded Program Files\GoPetsWeb.inf
FF - ProfilePath - c:\documents and settings\1\Application Data\Mozilla\Firefox\Profiles\hsco69ky.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 18:31:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\1\LOCALS~1\Temp\ARQE8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-1078145449-2147034123-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8D71D41A-E623-D591-21D9-1C62854769C0}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abpkfmanhlkkacgabmjacfhiidbgfgbeip"=hex:61,61,00,00
"bbpkfmanhlkkacgabmiacmcaglebnhemmnie"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-01-06 18:34:03
ComboFix-quarantined-files.txt 2009-01-06 08:04:00

Pre-Run: 143,826,378,752 bytes free
Post-Run: 143,920,992,256 bytes free

287 --- E O F --- 2009-01-06 06:36:51

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 PM

Posted 08 January 2009 - 08:12 AM

Hello.

That is the same ComboFix log you posted last time. Please post the contents of C:\ComboFix.txt.

Looks good. Any problems right now?

Please take a new HijackThis scan log.

With Regards,
The Panda

#10 dog54321

dog54321
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 09 January 2009 - 07:00 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:14 AM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\windows\hffext\hffsrv.exe
C:\Program Files\Lock Folder XP 3.6\LF30.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\1\Desktop\Khoi Folder\Fixing Virus\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HFFSRV] c:\windows\hffext\hffsrv.exe
O4 - HKLM\..\Run: [LFAgent] C:\Program Files\Lock Folder XP 3.6\LF30.exe -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?9caf2552e25d4e5e922457707c766ed8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?9caf2552e25d4e5e922457707c766ed8
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.facebook.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - Unknown owner - G:\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 13180 bytes


Cant find combofix.log .. :thumbsup: but everything seems ok now

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 PM

Posted 09 January 2009 - 07:21 PM

Looks good.

Cant find combofix.log .. but everything seems ok now

No problem.

Unless you have any other problems, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 PM

Posted 14 January 2009 - 12:28 PM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users