Karl`s PC Help Forums

HJT Logs please
Daz - 25-6-2008 at 16:41

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:18, on 25/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:WindowsRtHDVCpl.exe
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatchTray9.exe
C:Program FilesCommon FileslogishrdLComMgrCommunications_Helper.exe
C:Program FilesLogitechQuickCamQuickcam.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesJavajre1.6.0_06binjusched.exe
C:Program FilesWindows Sidebarsidebar.exe
C:WindowsSystem32rundll32.exe
C:Program FilesPackard BellSetUpMyPCSmpSys.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Windowssystem32wbemunsecapp.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMCPSHelpRunner.exe
C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:WindowsSystem32mobsync.exe
C:Program FilesInternet Explorerieuser.exe
C:Program FilesSpybot - Search & DestroySpybotSD.exe
C:Windowssystem32wuauclt.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLLoginProxy.exe
C:Windowssystem32msfeedssync.exe
C:Windowssystem32DllHost.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_06binssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:Program FilesGoogleGoogle_BAEBAE.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [NvSvc] RUNDLL32.EXE C:Windowssystem32nvsvc.dll,nvsvcStart
O4 - HKLM..Run: [toolbar_eula_launcher] C:Program FilesPackard BellGOOGLE_EULAEULALauncher.exe
O4 - HKLM..Run: [LogitechCommunicationsManager] "C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe"
O4 - HKLM..Run: [LogitechQuickCamRibbon] "C:Program FilesLogitechQuickCamQuickcam.exe" /hide
O4 - HKLM..Run: [AVP] "C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe"
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_06binjusched.exe"
O4 - HKCU..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [SmpcSys] C:Program FilesPackard BellSetUpMyPCSmpSys.exe
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [BoneSlow] "C:ProgramDataKnob fork fork.2wnwt53"
O4 - HKCU..Run: [ROAD ITCH AMOK PING] "C:ProgramDataTeam real flaw.0qgvvhm"
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: C:PROGRA~1KASPER~1KASPER~1.0r3hook.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:Program FilesCommon FilesLogiShrdSrvLnchSrvLnch.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:Program FilesSpybot - Search & DestroySDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe

--
End of file - 9109 bytes


Daz - 25-6-2008 at 16:42

PS.

Only one AV is in use, take no notice of the Symantec info...


Pancake - 25-6-2008 at 23:55

You have a Lop infection....

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> http://www.bleepingcomputer.com/combofix/how-to-use-combofix <===== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


Daz - 26-6-2008 at 01:01

Pancake, I thought this was what the problem was, however this infection is on a Packard Bell (or maybe HP, I forget now) Vista machine.

How does that affect the Recovery Console thing...?

This was why I didn't proceed any further, and looked for more expert guidance...! :)


Pancake - 26-6-2008 at 23:23

Dont worry about the Recovery Comsole.It wont be a problem. Not needed.Just run the Combofix.


Daz - 27-6-2008 at 12:24

OK, tried to run ComboFix, but it gives error messages about not finding some files, and mentions error code x08...(?)

So I'm reluctant to continue to allow it to run in case it causes more problems...?

Can you confirm it's safe to continue please...?


Pancake - 28-6-2008 at 01:06

Run it..its fine. :D


Daz - 28-6-2008 at 15:01

ComboFix 08-06-20.4 - luke 2008-06-28 15:04:43.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1073 [GMT 1:00]
Running from: C:UserslukeDesktopComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat

----- BITS: Possible infected sites -----

hxxp://rad.msn.com
hxxp://ads.msn.com
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 14:06 192,466,208 --sha-w C:Windowssystem32driversfidbox.dat
2008-06-27 14:08 2,568,008 --sha-w C:Windowssystem32driversfidbox.idx
2008-06-27 12:00 --------- d-----w C:Program FilesLavasoft
2008-06-27 11:59 --------- d-----w C:Program FilesCommon FilesWise Installation Wizard
2008-06-25 16:35 --------- d-----w C:Program FilesTrend Micro
2008-06-25 16:30 --------- d-----w C:Program FilesSafari
2008-06-25 16:08 --------- d-----w C:Program FilesCCleaner
2008-06-25 16:03 --------- d-----w C:Program FilesJava
2008-06-25 16:02 --------- d-----w C:Program FilesCommon FilesJava
2008-06-25 15:48 --------- d-----w C:Program FilesMicrosoft Works
2008-06-25 15:46 --------- d-----w C:Program FilesMicrosoft.NET
2008-06-14 13:56 --------- d-----w C:UserslukeAppDataRoamingLimeWire
2008-06-11 18:48 --------- d-----w C:Program FilesWindows Mail
2008-06-08 10:35 412 ----a-w C:UserslukeAppDataRoamingwklnhst.dat
2008-06-07 15:44 --------- d-----w C:Program FilesSun
2008-06-07 14:56 --------- d-----w C:Program FilesiTunes
2008-06-07 14:56 --------- d-----w C:Program FilesiPod
2008-06-07 14:55 --------- d-----w C:Program FilesQuickTime
2008-06-07 14:42 --------- d-----w C:Program FilesApple Software Update
2008-05-29 17:34 88,774 ----a-w C:Windowssystem32driversklick.dat
2008-05-29 13:52 --------- d--h--w C:Program FilesInstallShield Installation Information
2008-05-29 13:52 --------- d-----w C:Program FilesCommon FilesMicrosoft Games
2008-05-29 13:22 --------- d-----w C:Program FilesMicrosoft Games
2008-05-28 16:09 96,966 ----a-w C:Windowssystem32driversklin.dat
2008-05-28 14:17 --------- d-----w C:Program FilesOpenOffice.org 2.4
2008-05-28 14:15 --------- d-----w C:UserslukeAppDataRoamingOpenOffice.org2
2008-05-28 13:48 112,144 ----a-w C:Windowssystem32driverskl1.sys
2008-05-25 18:54 --------- d-----w C:Program FilesKaspersky Lab
2008-05-16 10:58 12,632 ----a-w C:WindowsSystem32lsdelete.exe
2008-05-10 03:30 14,848 ----a-w C:WindowsSystem32wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:Windowssystem32driversrmcast.sys
2008-05-05 09:18 --------- d-----w C:Program FilesCommon FilesSymantec Shared
2008-04-30 17:50 --------- d-----w C:Program FilesPicasa2
2008-04-29 10:20 15,648 ----a-w C:Windowssystem32driversNSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:Windowssystem32driversAwrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:Windowssystem32driversAwrtpd.sys
2008-04-26 08:02 1,327,104 ----a-w C:WindowsSystem32quartz.dll
2008-04-25 04:23 826,368 ----a-w C:WindowsSystem32wininet.dll
2008-04-25 04:23 56,320 ----a-w C:WindowsSystem32iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:WindowsAppPatchiebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:WindowsSystem32ieUnatt.exe
2008-04-23 04:27 428,032 ----a-w C:WindowsSystem32EncDec.dll
2008-04-23 04:27 292,352 ----a-w C:WindowsSystem32psisdecd.dll
2008-04-23 04:27 1,244,672 ----a-w C:WindowsSystem32mcmde.dll
2008-03-31 20:24 676,224 ----a-w C:WindowsSystem32OGACheckControl.dll
2007-01-03 08:46 174 --sha-w C:Program Filesdesktop.ini
2008-01-21 16:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008011420080121index.dat 2008-02-05 14:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008012820080204index.dat 2008-02-05 17:00 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020520080206index.dat 2008-02-06 18:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020620080207index.dat 2008-02-07 20:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020720080208index.dat 2008-02-09 19:00 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020920080210index.dat .

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Sidebar"="C:Program FilesWindows Sidebarsidebar.exe" [2008-01-10 18:39 1232896]
"SmpcSys"="C:Program FilesPackard BellSetUpMyPCSmpSys.exe" [2007-07-19 14:32 1120568]
"MsnMsgr"="C:Program FilesWindows LiveMessengerMsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:Program FilesSpybot - Search & DestroyTeaTimer.exe" [2008-01-28 12:43 2097488]
"WMPNSCFG"="C:Program FilesWindows Media PlayerWMPNSCFG.exe" [2006-11-02 13:36 201728]
"ISUSPM"="C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" [2006-09-11 05:40 218032]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 16:10 4468736 C:WindowsRtHDVCpl.exe]
"LogitechCommunicationsManager"="C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:Program FilesLogitechQuickCamQuickcam.exe" [2007-10-25 17:37 2178832]
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:Program FilesJavajre1.6.0_06binjusched.exe" [2008-03-25 04:28 144784]
"NvSvc"="C:Windowssystem32nvsvc.dll" [2007-07-06 20:15 86016]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"Picasa Media Detector"="C:Program FilesPicasa2PicasaMediaDetector.exe" [2008-02-26 02:23 443968]

[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupHP Digital Imaging Monitor.lnk
backup=C:WindowspssHP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:Program FilesAdobeReader 8.0ReaderReader_sl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBoneSlow]
C:ProgramDataKnob fork fork.2wnwt53

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregehTray.exe]
--a------ 2006-11-02 13:35 125440 C:WindowsehomeehTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHP Software Update]
--a------ 2006-12-10 22:52 49152 C:Program FilesHPHP Software UpdateHPWuSchd2.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2007-07-06 20:15 8466432 C:Windowssystem32NvCpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvMediaCenter]
--a------ 2007-07-06 20:15 81920 C:Windowssystem32NvMcTray.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
--a------ 2008-03-28 23:37 413696 C:Program FilesQuickTimeQTTask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregROAD ITCH AMOK PING]
--a------ 2007-12-30 03:02 245776 C:ProgramDataTeam real flaw.0qgvvhm

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxWatchTray]
--a------ 2007-01-11 12:40 232184 C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatchTray9.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSkytel]


[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSymantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregtoolbar_eula_launcher]
--a------ 2007-02-20 17:20 28672 C:Program FilesPackard BellGOOGLE_EULAEULALauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicyFirewallRules]
"{126D41EC-89B1-4B41-9B06-B6DC5C00E17E}"= Profile=Private|C:Program FilesCyberLinkMagicSportsMagicSports.exe:_this_program_will_be_deleted
"{5DC530EA-3824-4F68-8F0F-521E022DAFE8}"= Disabled:UDP:C:Program FilesiTunesiTunes.exe:iTunes
"{BE3DB0BE-292A-48B1-BB98-87094E7A750A}"= Disabled:TCP:C:Program FilesiTunesiTunes.exe:iTunes
"{FC960D5A-85C4-40EF-9495-B401BAB88B86}"= Disabled:UDP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"{3BC6BB6F-459F-4137-A69A-3E7E25F64723}"= Disabled:TCP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"{44518A9E-D4CB-4E85-AD04-BA4628150DEB}"= Disabled:UDP:C:Program FilesSkypePhoneSkype.exe:Skype
"{00F59FF9-9729-43E8-B4BF-30A0F46ECF6E}"= Disabled:TCP:C:Program FilesSkypePhoneSkype.exe:Skype
"{C15F6C98-E328-4714-8986-A34D11262AB9}"= C:Program FilesWindows LiveMessengerlivecall.exe:Windows Live Messenger (Phone)
"{C35230F3-BF98-4D59-BB6A-08785E1CE801}"= UDP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"{A3DCA4E7-55AD-4539-A2D6-04BBA5E7BAC7}"= TCP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"TCP Query User{109FB260-1525-4EA9-9C33-1B796B319FAF}C:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.325\english\setup.exe"= UDP:C:programdatakaspersky lab setup fileskaspersky anti-virus 7.0.1.325englishsetup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{36DDCA13-1FEA-4A21-BE6F-E141F9F5D257}C:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.325\english\setup.exe"= TCP:C:programdatakaspersky lab setup fileskaspersky anti-virus 7.0.1.325englishsetup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{54F9B3EB-A141-4C27-8CED-BFDF23973C0A}C:\program files\microsoft games\fs2002\fs2002.exe"= UDP:C:program filesmicrosoft gamesfs2002fs2002.exe:Microsoft Flight Simulator Module
"UDP Query User{034CAC83-2500-426C-9430-CE154B5CB305}C:\program files\microsoft games\fs2002\fs2002.exe"= TCP:C:program filesmicrosoft gamesfs2002fs2002.exe:Microsoft Flight Simulator Module
"TCP Query User{9110E6EF-5C0C-4ADA-9569-2A277D8E60CD}C:\windows\system32\dplaysvr.exe"= UDP:C:windowssystem32dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{E12B1D36-D6FE-4819-BE82-2AA4E67A7177}C:\windows\system32\dplaysvr.exe"= TCP:C:windowssystem32dplaysvr.exe:Microsoft DirectPlay Helper
"{0894FA16-3F0B-40DA-97AE-2F65237CDACF}"= UDP:C:Program FilesiTunesiTunes.exe:iTunes
"{B6CC834C-7E20-4758-9653-732F51B042F9}"= TCP:C:Program FilesiTunesiTunes.exe:iTunes

[HKLM~servicessharedaccessparametersfirewallpolicyRestrictedServicesStaticSystem]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%system32svchost.exe|Svc=DFSR:Allow inbound TCP traffic|


[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 18:29:59 C:WindowsTasksPBReg.job"
- C:Program FilesHDRegHDRegApp.exe
"2008-02-09 19:59:59 C:WindowsTasksPBRegbk.job"
- C:Program FilesHDRegHDRegApp.exe
"2008-06-28 14:00:00 C:WindowsTasksRecovery DVD Creator.job"
- C:Program FilesPackard BellSetupMyPcMCDCheck.exe
"2008-06-28 13:06:31 C:WindowsTasksUser_Feed_Synchronization-{85D3D452-CA64-44CB-AA66-DD4C071752FB}.job"
- C:Windowssystem32msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 15:07:37
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-28 15:32:34
ComboFix-quarantined-files.txt 2008-06-28 14:28:14

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

179 --- E O F --- 2008-06-25 16:42:53


Daz - 28-6-2008 at 15:02

HJT Startup log attached as well, just in case...! Ta V Much Pancake. kewl_glasses


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:53:37, on 28/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:WindowsRtHDVCpl.exe
C:Program FilesCommon FileslogishrdLComMgrCommunications_Helper.exe
C:Program FilesLogitechQuickCamQuickcam.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesJavajre1.6.0_06binjusched.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesPackard BellSetUpMyPCSmpSys.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:WindowsSystem32rundll32.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Windowssystem32taskeng.exe
C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Windowssystem32wbemunsecapp.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=8&key=IESTART
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_06binssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:Program FilesGoogleGoogle_BAEBAE.dll
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [LogitechCommunicationsManager] "C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe"
O4 - HKLM..Run: [LogitechQuickCamRibbon] "C:Program FilesLogitechQuickCamQuickcam.exe" /hide
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_06binjusched.exe"
O4 - HKLM..Run: [NvSvc] RUNDLL32.EXE C:Windowssystem32nvsvc.dll,nvsvcStart
O4 - HKLM..Run: [AVP] "C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe"
O4 - HKCU..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [SmpcSys] C:Program FilesPackard BellSetUpMyPCSmpSys.exe
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler
O4 - HKUSS-1-5-18..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: C:PROGRA~1KASPER~1KASPER~1.0r3hook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:Program FilesCommon FilesLogiShrdSrvLnchSrvLnch.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:Program FilesSpybot - Search & DestroySDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe

--
End of file - 7464 bytes


Daz - 28-6-2008 at 16:02

MalwareBytes seems to be the only tool that picks anything up, Spybot, AdAware, Windows Defender and Kaspersky all give the all clear.

Seems a decent little app, that I'm now going to use on my own rigs. :)

Just as an FYI only Pancake, here is the log it's produced. (Not that it'll tell you anything you don't already know I'm sure, but thought I'd share it anyway!)


Pancake - 28-6-2008 at 22:53

Just this to fix and that should have you all finished.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:



File::
C:ProgramDataTeam real flaw.0qgvvhm

Registry::
[-HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBoneSlow]
[-HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregROAD ITCH AMOK PING]





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


[bad img]http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif[/bad img]

Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Daz - 28-6-2008 at 23:36

Thanks Pancake, bit late now here, but will do it tomorrow....

Much appreciated.


Daz - 30-6-2008 at 14:16

Ok, new logs after running the CF script... Thanks again. (HJT attached)

ComboFix 08-06-20.4 - luke 2008-06-30 14:21:35.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1251 [GMT 1:00]
Running from: C:UserslukeDesktopComboFix.exe
Command switches used :: C:UserslukeDesktopCFScript.txt
* Created a new restore point

FILE ::
C:ProgramDataTeam real flaw.0qgvvhm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:ProgramDataTeam real flaw.0qgvvhm

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 16:22 2,572,016 --sha-w C:Windowssystem32driversfidbox.idx
2008-06-28 16:22 192,511,008 --sha-w C:Windowssystem32driversfidbox.dat
2008-06-28 14:55 --------- d-----w C:UserslukeAppDataRoamingMalwarebytes
2008-06-28 14:55 --------- d-----w C:Program FilesMalwarebytes' Anti-Malware
2008-06-27 12:00 --------- d-----w C:Program FilesLavasoft
2008-06-27 11:59 --------- d-----w C:Program FilesCommon FilesWise Installation Wizard
2008-06-25 16:35 --------- d-----w C:Program FilesTrend Micro
2008-06-25 16:30 --------- d-----w C:Program FilesSafari
2008-06-25 16:08 --------- d-----w C:Program FilesCCleaner
2008-06-25 16:03 --------- d-----w C:Program FilesJava
2008-06-25 16:02 --------- d-----w C:Program FilesCommon FilesJava
2008-06-25 15:48 --------- d-----w C:Program FilesMicrosoft Works
2008-06-25 15:46 --------- d-----w C:Program FilesMicrosoft.NET
2008-06-19 16:48 34,296 ----a-w C:Windowssystem32driversmbamcatchme.sys
2008-06-19 16:47 17,144 ----a-w C:Windowssystem32driversmbam.sys
2008-06-14 13:56 --------- d-----w C:UserslukeAppDataRoamingLimeWire
2008-06-11 18:48 --------- d-----w C:Program FilesWindows Mail
2008-06-08 10:35 412 ----a-w C:UserslukeAppDataRoamingwklnhst.dat
2008-06-07 15:44 --------- d-----w C:Program FilesSun
2008-06-07 14:56 --------- d-----w C:Program FilesiTunes
2008-06-07 14:56 --------- d-----w C:Program FilesiPod
2008-06-07 14:55 --------- d-----w C:Program FilesQuickTime
2008-06-07 14:42 --------- d-----w C:Program FilesApple Software Update
2008-05-29 17:34 88,774 ----a-w C:Windowssystem32driversklick.dat
2008-05-29 13:52 --------- d--h--w C:Program FilesInstallShield Installation Information
2008-05-29 13:52 --------- d-----w C:Program FilesCommon FilesMicrosoft Games
2008-05-29 13:22 --------- d-----w C:Program FilesMicrosoft Games
2008-05-28 16:09 96,966 ----a-w C:Windowssystem32driversklin.dat
2008-05-28 14:17 --------- d-----w C:Program FilesOpenOffice.org 2.4
2008-05-28 14:15 --------- d-----w C:UserslukeAppDataRoamingOpenOffice.org2
2008-05-28 13:48 112,144 ----a-w C:Windowssystem32driverskl1.sys
2008-05-25 18:54 --------- d-----w C:Program FilesKaspersky Lab
2008-05-16 10:58 12,632 ----a-w C:WindowsSystem32lsdelete.exe
2008-05-10 03:30 14,848 ----a-w C:WindowsSystem32wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:Windowssystem32driversrmcast.sys
2008-05-05 09:18 --------- d-----w C:Program FilesCommon FilesSymantec Shared
2008-04-30 17:50 --------- d-----w C:Program FilesPicasa2
2008-04-29 10:20 15,648 ----a-w C:Windowssystem32driversNSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:Windowssystem32driversAwrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:Windowssystem32driversAwrtpd.sys
2008-04-26 08:02 1,327,104 ----a-w C:WindowsSystem32quartz.dll
2008-04-25 04:23 826,368 ----a-w C:WindowsSystem32wininet.dll
2008-04-25 04:23 56,320 ----a-w C:WindowsSystem32iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:WindowsAppPatchiebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:WindowsSystem32ieUnatt.exe
2008-04-23 04:27 428,032 ----a-w C:WindowsSystem32EncDec.dll
2008-04-23 04:27 292,352 ----a-w C:WindowsSystem32psisdecd.dll
2008-04-23 04:27 1,244,672 ----a-w C:WindowsSystem32mcmde.dll
2008-03-31 20:24 676,224 ----a-w C:WindowsSystem32OGACheckControl.dll
2008-03-08 04:30 537,600 ----a-w C:WindowsAppPatchAcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:WindowsAppPatchAcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:WindowsAppPatchAcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:WindowsAppPatchAcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:WindowsSystem32gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:WindowsSystem32GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:WindowsAppPatchAcRes.dll
2007-01-03 08:46 174 --sha-w C:Program Filesdesktop.ini
2008-01-21 16:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008011420080121index.dat 2008-02-05 14:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008012820080204index.dat 2008-02-05 17:00 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020520080206index.dat 2008-02-06 18:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020620080207index.dat 2008-02-07 20:30 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020720080208index.dat 2008-02-09 19:00 32,768 --sha-w C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHist012008020920080210index.dat .

((((((((((((((((((((((((((((( snapshot@2008-06-28_15.08.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 14:08:57 67,584 --s-a-w C:Windowsbootstat.dat
+ 2008-06-30 13:17:39 67,584 --s-a-w C:Windowsbootstat.dat
- 2008-06-27 14:08:58 2,048 --sha-w C:WindowsServiceProfilesLocalServiceAppDataLocallastalive0.dat
+ 2008-06-30 13:17:40 2,048 --sha-w C:WindowsServiceProfilesLocalServiceAppDataLocallastalive0.dat
- 2008-06-27 14:08:59 2,048 --sha-w C:WindowsServiceProfilesLocalServiceAppDataLocallastalive1.dat
+ 2008-06-30 13:17:40 2,048 --sha-w C:WindowsServiceProfilesLocalServiceAppDataLocallastalive1.dat
- 2008-06-27 14:11:14 262,144 --sha-w C:WindowsServiceProfilesLocalServiceNTUSER.DAT
+ 2008-06-30 13:19:55 262,144 --sha-w C:WindowsServiceProfilesLocalServiceNTUSER.DAT
+ 2008-06-30 13:19:55 262,144 ---ha-w C:WindowsServiceProfilesLocalServicentuser.dat.LOG1
- 2008-06-27 15:46:41 262,144 --sha-w C:WindowsServiceProfilesNetworkServiceNTUSER.DAT
+ 2008-06-30 13:19:50 262,144 --sha-w C:WindowsServiceProfilesNetworkServiceNTUSER.DAT
+ 2008-06-30 13:19:50 262,144 ---ha-w C:WindowsServiceProfilesNetworkServicentuser.dat.LOG1
- 2008-06-27 12:02:25 111,812 ----a-w C:WindowsSystem32perfc009.dat
+ 2008-06-28 14:57:25 111,812 ----a-w C:WindowsSystem32perfc009.dat
- 2008-06-27 12:02:25 631,234 ----a-w C:WindowsSystem32perfh009.dat
+ 2008-06-28 14:57:25 631,234 ----a-w C:WindowsSystem32perfh009.dat
- 2008-06-27 14:11:36 8,732 ----a-w C:WindowsSystem32WDI{86432a0b-3c7d-4ddf-a89c-172faa90485d}S-1-5-21-2069491792-4117358602-4163992404-1002_UserData.bin
+ 2008-06-30 13:20:19 8,732 ----a-w C:WindowsSystem32WDI{86432a0b-3c7d-4ddf-a89c-172faa90485d}S-1-5-21-2069491792-4117358602-4163992404-1002_UserData.bin
- 2008-06-27 14:11:36 53,410 ----a-w C:WindowsSystem32WDIBootPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 13:20:19 53,542 ----a-w C:WindowsSystem32WDIBootPerformanceDiagnostics_SystemData.bin
- 2008-06-27 14:11:34 48,512 ----a-w C:WindowsSystem32WDIShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 13:20:14 49,018 ----a-w C:WindowsSystem32WDIShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Sidebar"="C:Program FilesWindows Sidebarsidebar.exe" [2008-01-10 18:39 1232896]
"SmpcSys"="C:Program FilesPackard BellSetUpMyPCSmpSys.exe" [2007-07-19 14:32 1120568]
"MsnMsgr"="C:Program FilesWindows LiveMessengerMsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:Program FilesSpybot - Search & DestroyTeaTimer.exe" [2008-01-28 12:43 2097488]
"WMPNSCFG"="C:Program FilesWindows Media PlayerWMPNSCFG.exe" [2006-11-02 13:36 201728]
"ISUSPM"="C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" [2006-09-11 05:40 218032]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 16:10 4468736 C:WindowsRtHDVCpl.exe]
"LogitechCommunicationsManager"="C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:Program FilesLogitechQuickCamQuickcam.exe" [2007-10-25 17:37 2178832]
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:Program FilesJavajre1.6.0_06binjusched.exe" [2008-03-25 04:28 144784]
"NvSvc"="C:Windowssystem32nvsvc.dll" [2007-07-06 20:15 86016]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"Picasa Media Detector"="C:Program FilesPicasa2PicasaMediaDetector.exe" [2008-02-26 02:23 443968]

[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupHP Digital Imaging Monitor.lnk
backup=C:WindowspssHP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:Program FilesAdobeReader 8.0ReaderReader_sl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregehTray.exe]
--a------ 2006-11-02 13:35 125440 C:WindowsehomeehTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHP Software Update]
--a------ 2006-12-10 22:52 49152 C:Program FilesHPHP Software UpdateHPWuSchd2.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2007-07-06 20:15 8466432 C:Windowssystem32NvCpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvMediaCenter]
--a------ 2007-07-06 20:15 81920 C:Windowssystem32NvMcTray.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
--a------ 2008-03-28 23:37 413696 C:Program FilesQuickTimeQTTask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxWatchTray]
--a------ 2007-01-11 12:40 232184 C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatchTray9.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSkytel]


[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSymantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregtoolbar_eula_launcher]
--a------ 2007-02-20 17:20 28672 C:Program FilesPackard BellGOOGLE_EULAEULALauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicyFirewallRules]
"{126D41EC-89B1-4B41-9B06-B6DC5C00E17E}"= Profile=Private|C:Program FilesCyberLinkMagicSportsMagicSports.exe:_this_program_will_be_deleted
"{5DC530EA-3824-4F68-8F0F-521E022DAFE8}"= Disabled:UDP:C:Program FilesiTunesiTunes.exe:iTunes
"{BE3DB0BE-292A-48B1-BB98-87094E7A750A}"= Disabled:TCP:C:Program FilesiTunesiTunes.exe:iTunes
"{FC960D5A-85C4-40EF-9495-B401BAB88B86}"= Disabled:UDP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"{3BC6BB6F-459F-4137-A69A-3E7E25F64723}"= Disabled:TCP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"{44518A9E-D4CB-4E85-AD04-BA4628150DEB}"= Disabled:UDP:C:Program FilesSkypePhoneSkype.exe:Skype
"{00F59FF9-9729-43E8-B4BF-30A0F46ECF6E}"= Disabled:TCP:C:Program FilesSkypePhoneSkype.exe:Skype
"{C15F6C98-E328-4714-8986-A34D11262AB9}"= C:Program FilesWindows LiveMessengerlivecall.exe:Windows Live Messenger (Phone)
"{C35230F3-BF98-4D59-BB6A-08785E1CE801}"= UDP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"{A3DCA4E7-55AD-4539-A2D6-04BBA5E7BAC7}"= TCP:C:Program FilesLimeWireLimeWire.exe:LimeWire
"TCP Query User{109FB260-1525-4EA9-9C33-1B796B319FAF}C:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.325\english\setup.exe"= UDP:C:programdatakaspersky lab setup fileskaspersky anti-virus 7.0.1.325englishsetup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{36DDCA13-1FEA-4A21-BE6F-E141F9F5D257}C:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.325\english\setup.exe"= TCP:C:programdatakaspersky lab setup fileskaspersky anti-virus 7.0.1.325englishsetup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{54F9B3EB-A141-4C27-8CED-BFDF23973C0A}C:\program files\microsoft games\fs2002\fs2002.exe"= UDP:C:program filesmicrosoft gamesfs2002fs2002.exe:Microsoft Flight Simulator Module
"UDP Query User{034CAC83-2500-426C-9430-CE154B5CB305}C:\program files\microsoft games\fs2002\fs2002.exe"= TCP:C:program filesmicrosoft gamesfs2002fs2002.exe:Microsoft Flight Simulator Module
"TCP Query User{9110E6EF-5C0C-4ADA-9569-2A277D8E60CD}C:\windows\system32\dplaysvr.exe"= UDP:C:windowssystem32dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{E12B1D36-D6FE-4819-BE82-2AA4E67A7177}C:\windows\system32\dplaysvr.exe"= TCP:C:windowssystem32dplaysvr.exe:Microsoft DirectPlay Helper
"{0894FA16-3F0B-40DA-97AE-2F65237CDACF}"= UDP:C:Program FilesiTunesiTunes.exe:iTunes
"{B6CC834C-7E20-4758-9653-732F51B042F9}"= TCP:C:Program FilesiTunesiTunes.exe:iTunes

[HKLM~servicessharedaccessparametersfirewallpolicyRestrictedServicesStaticSystem]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%system32svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:Windowssystem32DRIVERSklim6.sys [2007-10-16 11:05]
R3 rt70x86;%WUSB54Gv4.Service.DispName%;C:Windowssystem32DRIVERSnetr70.sys [2006-12-29 02:01]
S3 UMPass;Microsoft UMPass Driver;C:Windowssystem32DRIVERSumpass.sys [2006-11-02 09:55]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 18:29:59 C:WindowsTasksPBReg.job"
- C:Program FilesHDRegHDRegApp.exe
"2008-02-09 19:59:59 C:WindowsTasksPBRegbk.job"
- C:Program FilesHDRegHDRegApp.exe
"2008-06-30 13:30:04 C:WindowsTasksRecovery DVD Creator.job"
- C:Program FilesPackard BellSetupMyPcMCDCheck.exe
"2008-06-30 13:20:11 C:WindowsTasksUser_Feed_Synchronization-{85D3D452-CA64-44CB-AA66-DD4C071752FB}.job"
- C:Windowssystem32msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 14:23:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 14:31:44
ComboFix-quarantined-files.txt 2008-06-30 13:31:08
ComboFix2.txt 2008-06-28 14:33:22

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

213 --- E O F --- 2008-06-25 16:42:53


Pancake - 30-6-2008 at 22:44

That looks to have removed the offender.You should be ok now.


Daz - 1-7-2008 at 00:21

Quote:
Originally posted by Pancake
That looks to have removed the offender.You should be ok now.


Thank you Pancake, appreciated. waveysmiley kewl_glasses

PS. Is there anything else I need to do...? By that I mean clean up any files/folders, and turn anything back on that ComboFix may have turned off...?

Ta again.


Pancake - 1-7-2008 at 00:30

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

Quote:


ComboFix /u


Daz - 1-7-2008 at 02:27

Quote:
Originally posted by Pancake
This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

Quote:


ComboFix /u



Okey-Dokey, ta!

And no issues re CD/DVD Autoruns will need sorting...?


Pancake - 1-7-2008 at 03:56

The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

Insert a game cd or software cd, and Windows might automatically begin the installation setup.

Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue.It has been included in ComboFix for your future protection.

. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc.

I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.


Katzy - 1-7-2008 at 11:40

Quote:
Originally posted by Daz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:18, on 25/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:

C:WindowsExplorer.EXE

End of file


[levity]

That'll be your problem, mate!

[/levity]


Daz - 1-7-2008 at 13:57

Thanks Pancake, I will tell user the reasons, and that's it's best to keep it this way... I'm sure he'll accept that. (Well his Dad will anyway, it's his son's PC...)

@ Katzy...

Yes mate, not my rig though... I mean, HP...? C'mon, give me some credit...!!! ;)