Jump to content

Help! Antivirus.EVT file


Recommended Posts

Help, just got a new laptop and didn't check my torrent sources before downloading, got rid of most of the problems but ended up with an icon on the taskbar that just won't be removed. It looks like an .evt file but I haven't been able to remove it, or rename it to delete it. Any help will be greatly appreciated. Here is the HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:44:19 PM, on 4/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\BisonCam\BisonTrayIcon.exe

C:\Program Files\Function Key Controller\FKC.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe

O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: EndWLAN.cmd

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - C:\WINDOWS\system32\rkvdr.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 8268 bytes

THANKS AGAIN!

Link to post
Share on other sites

  • Staff

Hello, and welcome to MalwareBytes.

Configure Windows XP to show hidden files:

Navigate to Start --> My Computer.

Select the Tools menu and click Folder Options. Select the View tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

Click Yes to confirm. Click OK.

Then, please go to VirusTotal, and upload the following file for analysis:

C:\WINDOWS\system32\rkvdr.dll

Post the results in your reply.

Next, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=4245

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\WINDOWS\system32\rkvdr.dll

Leave any comments, further information about this file, or contact information: From screen317 (MalwareBytes)

Next, we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Here are both logs from HijackThis and ComboFix. The taskbar problem has since stopped, it no longer has anything in it that it shouldn't

ComboFix 08-04-12.5 - Cameron 2008-04-12 20:27:48.1 - NTFSx86

Running from: C:\Documents and Settings\Cameron\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\rkvdr.dll

.

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))

.

2008-04-10 23:22 . 2008-04-12 00:43 143 --a------ C:\WINDOWS\wb.ini

2008-04-10 23:04 . 2008-04-10 23:04 355 --a------ C:\WINDOWS\system32\MRT.INI

2008-04-10 22:52 . 2008-04-10 22:53 <DIR> d-------- C:\WINDOWS\system32\215651

2008-04-10 22:51 . 2008-04-10 23:04 <DIR> d-------- C:\Program Files\NetProject

2008-04-10 22:39 . 2008-04-10 22:39 <DIR> d-------- C:\Program Files\Stardock

2008-04-10 22:39 . 2003-02-26 20:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll

2008-04-10 22:39 . 2005-01-22 18:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll

2008-04-10 22:26 . 2008-04-10 22:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

2008-04-10 21:43 . 2008-04-10 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-04-08 00:05 . 2008-04-08 00:05 <DIR> d-------- C:\WINDOWS\system32\electricsheep-cache

2008-04-08 00:05 . 2008-04-08 00:05 48,456 --a------ C:\WINDOWS\system32\UninstallElectricSheep.exe

2008-04-07 23:47 . 2008-04-07 23:47 <DIR> d-------- C:\Program Files\Alwil Software

2008-04-07 23:45 . 2008-04-07 23:45 <DIR> d-------- C:\Program Files\Lavasoft

2008-04-07 23:45 . 2008-04-07 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-07 23:44 . 2008-04-07 23:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-07 16:28 . 2008-04-07 16:28 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\DivX

2008-04-07 02:00 . 2008-04-07 02:00 <DIR> d-------- C:\Program Files\DivX

2008-04-06 19:14 . 2008-04-06 19:14 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-04-06 19:14 . 2008-04-06 19:14 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

2008-04-06 19:14 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2008-04-06 19:14 . 2008-04-06 19:14 376 --a------ C:\WINDOWS\ODBC.INI

2008-04-06 19:09 . 2008-04-06 19:09 <DIR> dr-h----- C:\MSOCache

2008-04-06 03:41 . 2008-04-06 03:41 <DIR> d-------- C:\WINDOWS\system32\Futuremark

2008-04-06 03:41 . 2008-04-06 03:41 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll

2008-04-06 03:41 . 2008-04-06 03:41 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll

2008-04-06 03:41 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys

2008-04-06 03:41 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd

2008-04-06 03:41 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys

2008-04-06 03:41 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys

2008-04-06 03:36 . 2008-04-06 03:36 <DIR> d-------- C:\Program Files\Futuremark

2008-04-06 02:57 . 2008-04-08 22:09 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-04-06 02:44 . 2008-04-06 02:44 <DIR> d-------- C:\Program Files\Anark

2008-04-06 02:44 . 2008-04-06 02:48 2,422,046 --a------ C:\WINDOWS\NV_drawings_ss_02.exe.exe

2008-04-06 02:44 . 2008-04-06 02:44 1,588,479 --a------ C:\WINDOWS\nvgffx_ss_01.exe.exe

2008-04-06 02:44 . 2008-04-06 02:44 395,708 --a------ C:\WINDOWS\nvgffx_ss_01.exe.scr

2008-04-06 02:44 . 2008-04-06 02:48 395,708 --a------ C:\WINDOWS\NV_drawings_ss_02.exe.scr

2008-04-06 02:44 . 2002-09-06 04:30 67,072 --a------ C:\WINDOWS\system32\AKCPanel.cpl

2008-04-06 02:44 . 2008-04-06 02:44 40,960 --a------ C:\WINDOWS\nvgffx_ss_01.exe.dll

2008-04-06 02:44 . 2008-04-06 02:48 40,960 --a------ C:\WINDOWS\NV_drawings_ss_02.exe.dll

2008-04-06 02:44 . 2008-04-06 02:44 18,192 --a------ C:\WINDOWS\nvgffx_ss_01.exe.dat

2008-04-06 02:44 . 2008-04-06 02:48 18,192 --a------ C:\WINDOWS\NV_drawings_ss_02.exe.dat

2008-04-06 02:44 . 2008-04-06 02:44 1,054 --a------ C:\WINDOWS\unins000.dat

2008-04-05 19:42 . 2008-04-05 19:42 <DIR> d-------- C:\Program Files\MSXML 6.0

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Program Files\QuickTime

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Program Files\iTunes

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Program Files\iPod

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Program Files\Bonjour

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Program Files\Apple Software Update

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\Apple Computer

2008-04-05 19:35 . 2008-04-05 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-04-05 19:35 . 2008-04-12 20:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-04-05 19:35 . 2008-04-05 19:35 1,409 --a------ C:\WINDOWS\QTFont.for

2008-04-05 19:34 . 2008-04-05 19:34 <DIR> d-------- C:\Program Files\Common Files\Apple

2008-04-05 19:34 . 2008-04-05 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2008-04-05 19:33 . 2008-04-05 19:33 1,158 --a------ C:\WINDOWS\mozver.dat

2008-04-05 19:24 . 2008-04-05 19:24 0 --a------ C:\WINDOWS\nsreg.dat

2008-04-05 19:21 . 2008-04-05 19:21 <DIR> d-------- C:\Program Files\Common Files\LogiShared

2008-04-05 19:21 . 2008-04-05 19:21 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\Logitech

2008-04-05 19:21 . 2008-04-05 19:21 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\Leadertech

2008-04-05 19:20 . 2008-04-05 19:20 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-04-05 19:20 . 2008-04-05 19:20 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2008-04-05 19:19 . 2008-04-05 19:19 <DIR> d-------- C:\Program Files\Logitech

2008-04-05 19:19 . 2008-04-05 19:19 <DIR> d-------- C:\Program Files\Common Files\Logitech

2008-04-05 19:19 . 2008-04-05 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech

2008-04-05 19:19 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll

2008-04-05 19:19 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll

2008-04-05 19:19 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll

2008-04-05 19:19 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll

2008-04-05 19:19 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll

2008-04-05 19:19 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe

2008-04-05 19:19 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys

2008-04-05 19:19 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys

2008-04-05 19:15 . 2008-04-05 19:15 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\InstallShield

2008-04-05 19:14 . 2008-04-05 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd

2008-04-05 19:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-04-05 19:12 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-04-05 19:12 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-04-05 19:12 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

2008-04-05 12:22 . 2008-04-05 12:22 331 --a------ C:\WINDOWS\doom3.ini

2008-04-05 11:55 . 2008-04-05 12:22 <DIR> d-------- C:\Program Files\Doom 3

2008-04-05 11:39 . 2008-04-05 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe

2008-04-05 11:30 . 2008-04-05 11:30 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\CyberLink

2008-04-05 11:30 . 2008-04-05 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink

2008-04-05 11:25 . 2007-05-09 09:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Bluetooth Software

2008-04-05 11:25 . 2007-05-09 09:07 <DIR> d-------- C:\Documents and Settings\Default User\Bluetooth Software

2008-04-05 11:25 . 2007-05-09 09:07 <DIR> d-------- C:\Documents and Settings\Cameron\Bluetooth Software

2008-04-05 11:25 . 2008-03-28 08:05 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\Intel

2008-04-05 11:25 . 2008-03-28 08:06 <DIR> d-------- C:\Documents and Settings\Cameron\Application Data\Ahead

2008-04-01 08:14 . 2008-04-01 08:14 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-04-01 08:13 . 2008-04-01 08:13 61 --a------ C:\WINDOWS\smscfg.ini

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-03-28 11:29 . 2008-03-28 11:29 <DIR> d-------- C:\WINDOWS\system32\Alienware

2008-03-28 08:09 . 2008-03-28 08:09 <DIR> d-------- C:\Program Files\Common Files\LightScribe

2008-03-28 08:09 . 2003-03-25 05:00 67,072 --a------ C:\WINDOWS\POWERCFG.EXE

2008-03-28 08:06 . 2008-03-28 08:06 <DIR> d-------- C:\Program Files\Nero

2008-03-28 08:06 . 2008-03-28 08:06 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-03-28 08:06 . 2008-03-28 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

2008-03-28 08:06 . 2008-03-28 08:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead

2008-03-28 08:05 . 2008-03-28 08:05 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-11 08:55 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-06 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-06 09:44 72,774 ----a-w C:\WINDOWS\unins000.exe

2008-03-29 18:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 18:35 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-03-29 18:31 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys

2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 18:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2008-03-28 15:04 --------- d-----w C:\Program Files\Intel

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-02-21 02:05 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-02-21 02:05 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-02-21 02:05 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-02-21 02:05 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-02-21 02:05 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll

2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 13:26 484904]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 18:54 16116224 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 13:32 89541 C:\WINDOWS\AGRSMMSG.exe]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-11 18:56 794714]

"BisonTrayIcon"="C:\WINDOWS\BisonCam\BisonTrayIcon.exe" [2005-10-06 18:49 40960]

"FunctionKeyCtrl"="C:\Program Files\Function Key Controller\FKC.exe" [2006-05-25 16:49 49152]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-07 06:41 7700480]

"nwiz"="nwiz.exe" [2007-03-07 06:41 1622016 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="NvMCTray.dll" [2007-03-07 06:41 86016 C:\WINDOWS\system32\nvmctray.dll]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]

"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 11:37 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]

Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-11 16:35:34 561213]

EndWLAN.cmd [2007-08-31 07:03:40 209]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-05 19:19:40 692224]

OSCust.lnk - C:\WINDOWS\system32\oem\OSCust.exe [2007-08-17 15:53:44 67072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-11-28 15:52 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\Setup\rsrc\Autorun.exe

\Shell\dinstall\command - D:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8c4c8c3-fdcb-11db-8c5e-99b4e460d61e}]

\Shell\AutoRun\command - E:\pstart.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

"2008-04-06 02:35:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-12 20:30:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-12 20:31:23

ComboFix-quarantined-files.txt 2008-04-13 03:31:19

Pre-Run: 511,191,769,088 bytes free

Post-Run: 511,179,100,160 bytes free

.

2008-04-11 06:05:12 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:32:15 PM, on 4/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\BisonCam\BisonTrayIcon.exe

C:\Program Files\Function Key Controller\FKC.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe

O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: EndWLAN.cmd

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 8125 bytes

Thank You Tons!!!!!!!!!!!!!!!!!!!!!!!!!!http://www.malwarebytes.org/forums/style_emoticons/default/cool.gif

http://www.malwarebytes.org/forums/style_e...efault/cool.gif

Link to post
Share on other sites

  • Staff

Hi,

Here are both logs from HijackThis and ComboFix. The taskbar problem has since stopped, it no longer has anything in it that it shouldn't
Good to hear, and you're very welcome. :P

Let's check for leftovers.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended

      [*]Scan Options:

      • Scan Archives
      • Scan Mail Bases

    [*] Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Kas-SaveReport-1.gif

Kas-Savetxt.gif

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

-screen317

Link to post
Share on other sites

Hi,

Good to hear, and you're very welcome. :P

Let's check for leftovers.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next

  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended

      [*]Scan Options:

      • Scan Archives

      • Scan Mail Bases

    [*] Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Kas-SaveReport-1.gif

Kas-Savetxt.gif

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

-screen317

Here is the log, looks like I'm not outta the woods yet...

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Sunday, April 13, 2008 8:10:39 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 14/04/2008

Kaspersky Anti-Virus database records: 702914

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

C:\

D:\

Scan Statistics:

Total number of scanned objects: 75594

Number of viruses found: 5

Number of infected objects: 6

Number of suspicious objects: 0

Duration of the scan process: 00:46:00

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Cameron\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Temp\~DFCB96.tmp Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Cameron\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\rkvdr.dll.vir Infected: not-virus:Hoax.Win32.Agent.bv skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP10\A0002415.exe Infected: Trojan-Downloader.Win32.Zlob.kxv skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP11\A0002572.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP11\A0002573.exe Infected: Trojan-Downloader.Win32.Zlob.lcd skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP11\A0002574.dll Infected: Trojan-Downloader.Win32.Zlob.lcc skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP13\A0003682.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP14\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_c4.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Restart your computer, and run the Kaspersky scan again please.

Also post a fresh HijackThis log. Let me know if any problems remain.

-screen317

Link to post
Share on other sites

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Restart your computer, and run the Kaspersky scan again please.

Also post a fresh HijackThis log. Let me know if any problems remain.

-screen317

Here are the results of the scans, looks like everything has been taken care of. I really appreciate your time and help! You are most generous!

KASPERSKY ONLINE SCANNER REPORT

Monday, April 14, 2008 11:05:30 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 15/04/2008

Kaspersky Anti-Virus database records: 705714

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

C:\

D:\

Scan Statistics:

Total number of scanned objects: 72994

Number of viruses found: 0

Number of infected objects: 0

Number of suspicious objects: 0

Duration of the scan process: 00:36:37

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Cameron\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\History\History.IE5\MSHist012008041420080415\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Temp\~DFA3D4.tmp Object is locked skipped

C:\Documents and Settings\Cameron\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Cameron\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Cameron\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8648A411-BE0B-41B5-8457-882A9174BF68}\RP1\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_11c.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:22:53 PM, on 4/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\BisonCam\BisonTrayIcon.exe

C:\Program Files\Function Key Controller\FKC.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe

O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: EndWLAN.cmd

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 8617 bytes

Link to post
Share on other sites

  • Staff

Hi thegerm,

Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries:

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

Aside from that, good work. Your log appears to be clean!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Comodo

Kerio

Outpost

2) Download and install Spybot-Search & Destroy, which has great features (specifically Immunization and TeaTimer) that help prevent malware from getting on your computer. Also a great scanner for weekly checks of the health of your system.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Hi thegerm,

Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries:

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)

Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

Aside from that, good work. Your log appears to be clean!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Comodo

Kerio

Outpost

2) Download and install Spybot-Search & Destroy, which has great features (specifically Immunization and TeaTimer) that help prevent malware from getting on your computer. Also a great scanner for weekly checks of the health of your system.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Thank you again for your time and effort! I am already using both Ad-Aware and Avast! can I use those in conjunction with what you recommended or should I remove those and use only what you suggest?

Your a gem of a human!

thegerm

Link to post
Share on other sites

  • Root Admin

Generally speaking Anti-Malware products can co-exist but Anti-Virus products can not.

I would keep Malwarebytes on the system as well as it is a much better Malware scanner these days than Spybot

If you do run into issues with Malwarebytes running at the same time as one of the other Malware scanners or Antivirus please post and let us know.

Thanks

Link to post
Share on other sites

  • 2 weeks later...

This topic seems to be resolved or dead. To prevent others from posting to it I will close it. Should it need to be opened contact any staff member and we will do that for you. Thanks Screen317 for your most appreciated help!

Note: The fixes here are for this system only. Applying to your system can cause severe damage. Please read the topic Pre HJT Post Instructions and begin your own topic if you need assistance.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.