Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection - services.exe


  • This topic is locked This topic is locked
8 replies to this topic

#1 Stettin

Stettin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 06 July 2009 - 10:41 PM

Sorry, I did some more research and tried a few more things since I posted originally.....
-----edit----
I tried installing Avast and did a boot time scan and found nothing. I did some more poking around and figured this was some type of root kit. I ran Sysinternals Rootkit Revealer and I was able to find that the c:\windows\system32\drivers\9f4cfef0.sys was being hidden from the system. Also some reg keys were hidden.

KLM\SYSTEM\ControlSet001\Services\9f4cfef0 7/7/2009 7:31 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\9f4cfef0 7/7/2009 7:31 PM 0 bytes Hidden from Windows API.


I couldn't delete the file, so I booted to my Ubuntu live CD, copied the file to my flash drive and deleted it. I popped it into my other computer and clicked on it and Avira gave me a warning. "Contains a recognition pattern of the (harmful) BDS/NewRest.AQ back-door program. I moved it to Quarrantine and submitted it to Avira.

I cleared out the registry entries, rebooted, and it there are no more outbound connections being initiated.... Any suggestions on how to verify that I'm clean?
----edit----


I noticed in my Comodo firewall that services.exe is opening up hundreds of connections on port 25/smtp. If I pull my network cable, the connections stop, then if I plug it back in I see a bunch of DNS requests go out on port 53, then hundreds on port 25. I know I have some type of worm, but haven't been able to figure out which. I ran a full scan using Avira AntiVir, SpyBot Search and Destroy, and Malwarebytes. A few tings were detected and removed, but obviously not everything. Any help is appreciated.



DDS (Ver_09-06-26.01) - NTFSx86
Run by Stettin at 22:29:32.07 on Mon 07/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2666 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\scan\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
AppInit_DLLs: c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stettin\applic~1\mozilla\firefox\profiles\mxzz3mkw.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [2008-12-15 13824]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-7 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-14 131912]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-14 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-7 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-7 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-7 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-12-14 707152]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2007-5-1 132232]

=============== Created Last 30 ================

2009-07-06 22:29 <DIR> --d----- C:\scan
2009-07-06 22:03 <DIR> --d----- c:\program files\Sophos
2009-07-06 21:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-06 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-06 19:28 <DIR> --d----- c:\docume~1\stettin\applic~1\Malwarebytes
2009-07-06 19:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 19:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 19:28 <DIR> --d----- c:\program files\Malwarebytes
2009-07-06 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-06 18:54 102,400 a------- c:\windows\system32\drivers\9f4cfef0.sys
2009-07-05 16:40 <DIR> --d----- c:\docume~1\stettin\applic~1\Mumble
2009-07-05 16:38 <DIR> --d----- c:\program files\Mumble
2009-06-21 10:59 <DIR> --d----- c:\program files\Paint.NET
2009-06-14 14:47 <DIR> --d----- c:\docume~1\stettin\applic~1\Crayon Physics Deluxe
2009-06-11 19:01 <DIR> --d----- C:\GamesNet Blitz II
2009-06-10 19:55 <DIR> --d----- c:\program files\Microsoft XNA

==================== Find3M ====================

2009-07-04 12:37 183,912 a------- c:\windows\system32\guard32.dll
2009-07-04 12:37 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-07-04 12:37 131,912 a------- c:\windows\system32\drivers\cmdguard.sys
2009-06-13 19:32 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-06-13 19:30 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 23:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-22 00:20 14,311,680 a------- c:\windows\system32\xlive.dll
2009-04-22 00:20 13,642,496 a------- c:\windows\system32\xlivefnt.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-12-10 17:51 22,328 a------- c:\docume~1\stettin\applic~1\PnkBstrK.sys

============= FINISH: 22:29:43.96 ===============

Attached Files


Edited by Stettin, 07 July 2009 - 10:40 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 09 July 2009 - 01:43 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

------------------------------------------------------------------------------------------------------------------

NOTE: IMPORTANT! To other lurkers who see this topic, if you ever want to use ComboFix, please have a look at below tutorial.. You have been warned!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Stettin

Stettin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 09 July 2009 - 04:49 PM

I noticed that my Automatic Updates was broken prior to running ComboFix... Now it is working!

ComboFix 09-07-09.04 - Stettin 07/09/2009 16:38.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2547 [GMT -5:00]
Running from: c:\scan\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1335 [VPS 090709-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-08 03:25 . 2009-07-08 03:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-08 00:30 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-08 00:30 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-08 00:30 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-08 00:30 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-08 00:30 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-08 00:30 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-08 00:30 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-08 00:30 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-08 00:30 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-08 00:30 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-08 00:30 . 2009-07-08 00:30 -------- d-----w- c:\program files\Alwil Software
2009-07-08 00:28 . 2009-07-08 00:28 -------- d-----w- c:\documents and settings\Stettin\Application Data\TrojanHunter
2009-07-08 00:08 . 2009-07-08 00:09 -------- d-----w- c:\program files\TrojanHunter 5.1
2009-07-07 03:29 . 2009-07-09 21:33 -------- d-----w- C:\scan
2009-07-07 03:03 . 2009-07-07 03:03 -------- d-----w- c:\program files\Sophos
2009-07-07 02:51 . 2009-07-07 02:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 02:51 . 2009-07-07 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 00:28 . 2009-07-07 00:28 -------- d-----w- c:\documents and settings\Stettin\Application Data\Malwarebytes
2009-07-07 00:28 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 00:28 . 2009-07-07 00:28 -------- d-----w- c:\program files\Malwarebytes
2009-07-07 00:28 . 2009-07-07 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 00:28 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 21:40 . 2009-07-05 21:40 -------- d-----w- c:\documents and settings\Stettin\Application Data\Mumble
2009-07-05 21:38 . 2009-07-05 21:38 -------- d-----w- c:\program files\Mumble
2009-06-21 15:59 . 2009-06-21 15:59 -------- d-----w- c:\program files\Paint.NET
2009-06-21 15:59 . 2009-06-21 16:00 -------- d-----w- c:\documents and settings\Stettin\Local Settings\Application Data\Paint.NET
2009-06-14 19:47 . 2009-06-14 20:41 -------- d-----w- c:\documents and settings\Stettin\Application Data\Crayon Physics Deluxe
2009-06-12 00:01 . 2009-06-12 00:01 -------- d-----w- C:\GamesNet Blitz II
2009-06-11 00:55 . 2009-06-11 00:55 -------- d-----w- c:\program files\Microsoft XNA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 03:39 . 2008-12-14 17:46 179792 ----a-w- c:\windows\system32\guard32.dll
2009-07-08 03:39 . 2008-12-14 17:46 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-07-07 03:12 . 2009-03-31 22:52 -------- d-----w- c:\program files\PeerGuardian2
2009-07-04 17:37 . 2008-12-14 17:46 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-07-04 17:37 . 2008-12-14 17:46 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-26 02:38 . 2008-12-12 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-26 02:38 . 2008-12-12 17:13 -------- d-----w- c:\documents and settings\Stettin\Application Data\RipIt4Me
2009-06-26 02:06 . 2009-01-17 23:15 -------- d-----w- c:\documents and settings\Stettin\Application Data\dvdcss
2009-06-22 23:07 . 2009-05-13 01:18 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-06-21 17:01 . 2009-03-27 03:08 -------- d-----w- c:\documents and settings\Stettin\Application Data\uTorrent
2009-06-21 04:04 . 2008-12-23 17:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 00:32 . 2008-12-10 21:37 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-14 00:30 . 2008-12-10 21:38 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-13 15:40 . 2009-01-23 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2009-05-18 16:31 . 2009-05-18 16:31 -------- d-----w- c:\program files\CEVO
2009-05-11 22:15 . 2009-05-10 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-05-11 22:12 . 2009-05-10 17:22 -------- d-----w- c:\documents and settings\Stettin\Application Data\VMware
2009-05-10 23:18 . 2009-05-10 17:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-05-07 23:09 . 2008-12-14 18:24 18240 ----a-w- c:\documents and settings\Stettin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-02 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-02 131072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-07-04 1793808]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-17 17676288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\WiC\\wic.exe"=
"c:\\Games\\WiC\\wic_online.exe"=
"c:\\Games\\WiC\\wic_ds.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Games\\Cod4\\iw3mp.exe"=
"c:\\Games\\FarCry2\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Games\\FarCry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Games\\FarCry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Games\\BF2\\BF2.exe"=
"c:\\Games\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Games\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Games\\Steam\\steamapps\\stettin\\dark messiah might and magic multi-player\\runme.exe"=
"c:\\Games\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Games\\Steam\\steamapps\\common\\eets\\Eets.exe"=
"c:\\Games\\Steam\\steamapps\\common\\gravitron2\\Gravitron2.exe"=
"c:\\Games\\Steam\\steamapps\\common\\trials 2 second edition\\launcher.exe"=
"c:\\Games\\Steam\\steamapps\\common\\multiwinia\\multiwinia.exe"=
"c:\\Games\\Steam\\steamapps\\common\\i-fluid\\I-Fluid.exe"=
"c:\\Games\\HAWX\\HAWX.exe"=
"c:\\Games\\Steam\\steamapps\\common\\osmos igf demo\\OsmosDemo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Games\\Steam\\steamapps\\common\\blueberry garden demo\\BlueberryGarden.exe"=
"c:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [12/15/2008 6:11 PM 13824]
R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/7/2009 7:30 PM 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/14/2008 12:46 PM 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/14/2008 12:46 PM 25160]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/7/2009 7:30 PM 20560]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [5/1/2007 5:11 PM 132232]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/7/2009 6:48 PM 108289]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-03-06 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Stettin\Application Data\Mozilla\Firefox\Profiles\mxzz3mkw.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\memsweep2]
"ImagePath"="\??\c:\windows\system32\7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-515967899-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:79,d6,05,1a,80,f3,cd,0e,9f,0b,5d,5d,be,f0,0f,d6,29,0e,b5,cc,b7,00,34,
35,ef,aa,57,99,7f,49,c9,20,37,d3,1b,5e,c4,72,d6,4e,af,45,1d,bf,1e,41,7b,e4,\
"??"=hex:78,e1,89,1a,3f,f5,56,db,c3,54,b0,a3,2b,21,84,b7

[HKEY_USERS\S-1-5-21-1993962763-515967899-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:0c,42,f0,37,28,2a,7d,71,df,c4,fd,8c,87,60,c5,03,17,24,84,3f,34,
51,7e,f7,2c,32,19,b1,4d,6e,18,ff,d8,ee,d9,a5,71,5b,d2,e2,67,ad,11,22,44,c3,\
"rkeysecu"=hex:ab,23,25,4b,04,49,5a,f5,6a,2a,bc,01,ef,e2,07,0c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\guard32.dll
.
Completion time: 2009-07-09 16:41
ComboFix-quarantined-files.txt 2009-07-09 21:41

Pre-Run: 25,086,812,160 bytes free
Post-Run: 25,154,043,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

194 --- E O F --- 2009-06-11 03:23


DDS LOG
----------------

DDS (Ver_09-06-26.01) - NTFSx86
Run by Stettin at 16:43:47.79 on Thu 07/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2597 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1335 [VPS 090709-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
G:\scan\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\scan\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
AppInit_DLLs: c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stettin\applic~1\mozilla\firefox\profiles\mxzz3mkw.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [2008-12-15 13824]
R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-7 114768]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-7 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-14 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-14 25160]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-7 20560]
R2 avast! antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-7 138680]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-7 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-12-14 707152]
S3 avast! mail scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-7 254040]
S3 avast! web scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-7 352920]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2007-5-1 132232]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-7 108289]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-7 185089]

=============== Created Last 30 ================

2009-07-09 16:41 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-09 16:37 <DIR> a-dshr-- C:\cmdcons
2009-07-09 16:36 161,792 a------- c:\windows\SWREG.exe
2009-07-09 16:36 155,136 a------- c:\windows\PEV.exe
2009-07-09 16:36 98,816 a------- c:\windows\sed.exe
2009-07-09 16:36 <DIR> --ds---- C:\ComboFix
2009-07-07 22:25 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-07 21:27 130 a------- c:\windows\cfplogvw.INI
2009-07-07 19:30 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-07 19:28 <DIR> --d----- c:\docume~1\stettin\applic~1\TrojanHunter
2009-07-07 19:08 <DIR> --d----- c:\program files\TrojanHunter 5.1
2009-07-06 22:29 <DIR> --d----- C:\scan
2009-07-06 22:03 <DIR> --d----- c:\program files\Sophos
2009-07-06 21:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-06 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-06 19:28 <DIR> --d----- c:\docume~1\stettin\applic~1\Malwarebytes
2009-07-06 19:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 19:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 19:28 <DIR> --d----- c:\program files\Malwarebytes
2009-07-06 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 16:40 <DIR> --d----- c:\docume~1\stettin\applic~1\Mumble
2009-07-05 16:38 <DIR> --d----- c:\program files\Mumble
2009-06-21 10:59 <DIR> --d----- c:\program files\Paint.NET
2009-06-14 14:47 <DIR> --d----- c:\docume~1\stettin\applic~1\Crayon Physics Deluxe
2009-06-11 19:01 <DIR> --d----- C:\GamesNet Blitz II
2009-06-10 19:55 <DIR> --d----- c:\program files\Microsoft XNA

==================== Find3M ====================

2009-07-07 22:39 179,792 a------- c:\windows\system32\guard32.dll
2009-07-07 22:39 132,040 a------- c:\windows\system32\drivers\cmdguard.sys
2009-07-04 12:37 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-13 19:32 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-06-13 19:30 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 23:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-22 00:20 14,311,680 a------- c:\windows\system32\xlive.dll
2009-04-22 00:20 13,642,496 a------- c:\windows\system32\xlivefnt.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-12-10 17:51 22,328 a------- c:\docume~1\stettin\applic~1\PnkBstrK.sys

============= FINISH: 16:43:55.95 ===============



HiJAckThis LOG
--------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:13 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
G:\scan\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5274 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 09 July 2009 - 10:41 PM

Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Stettin

Stettin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 10 July 2009 - 06:38 PM

Here it is:

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 11 July 2009 - 12:01 AM

You have two antivirus installed (Avast and Avira).. That's not good.. Always use only ONE antivirus for each computer.. Uninstall one of them please :thumbup2:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Stettin

Stettin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 11 July 2009 - 09:01 PM

C:\Program Files\HFXP\hfxp.exe probably unknown NewHeur_PE virus

All it found was the above "unknown".. I've been using that program for a couple years with no problems. I think it is a false positive. It comes back clean in Avira (which I uninstalled) and came back clean. I put it up on a multi-scan malware site and here are the results. NOD32 picked it up, as well as CPSecure.

http://virusscan.jotti.org/en/scanresult/c...11fac1796d5cc8d

Any suggestions?

Otherwise, the computer seems to be running like new now :thumbup2:

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 12 July 2009 - 02:21 AM

Well, if you know the program is safe, it sure false positive :thumbup2:

Looks good to me.. Lets do some cleanup...


Please download OTC by OldTimer and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Stettin

Stettin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 12 July 2009 - 11:27 AM

My computer is running fine now. Thanks for the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users