|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Be the architects of evolution and help create the mobile internet future. It’s your move---enter to win here! |
|
#1
April 20th, 2008, 07:57 PM
|
|||
|
|||
|
Cannot open certain files "not a valid Win32 application".
Okay, the title was just one problem. I have run AVG, Trojan Remover, Avast, Ad-Aware, Anti-Spyware Doctor, and Avira, each found some problems and fixed them, however I'm sure that a large amount of the problems came back immediately, and I'm
sure they didn't fix everything. Almost every single one has either been "locked by administrator" (which is another problem I'm having) freezing it or somehow a virus causes the computer to think that the .exe doesn't exist so it fruitlessly searches for it. Also, I have been having constant problems on start up, like my desktop getting spammed with CMD command pop ups and driver errors. I did all the steps in the sticky except for step 4 because IE is broken and I would bet money it was because of a virus. Here are my logs: Malwarebytes' Anti-Malware 1.11 Database version: 663 Scan type: Quick Scan Objects scanned: 32316 Time elapsed: 5 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 32 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\AntispyStorm (Rogue.AntispyStorm) -> Quarantined and deleted successfully. C:\Program Files\Helper (Adware.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\AntispyStorm\stat.bin (Rogue.AntispyStorm) -> Quarantined and deleted successfully. C:\Program Files\AntispyStorm\uninstall.exe (Rogue.AntispyStorm) -> Quarantined and deleted successfully. C:\Program Files\AntispyStorm\uninstall.log (Rogue.AntispyStorm) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ksvcl.dll (Stolen.Data) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kcopt.dll (Stolen.Data) -> Quarantined and deleted successfully. C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cmds.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:18:46 PM, on 4/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP1 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = -URL deleted- R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = -URL deleted- R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = -URL deleted- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\ SUPERAntiSpyware Scan Log Generated 04/20/2008 at 05:04 PM Application Version : 4.0.1154 Core Rules Database Version : 3442 Trace Rules Database Version: 1434 Scan type : Complete Scan Total Scan Time : 00:19:35 Memory items scanned : 368 Memory threats detected : 0 Registry items scanned : 5224 Registry threats detected : 0 File items scanned : 13501 File threats detected : 1 Rogue.LiveSecurityCenter-Trace C:\WINDOWS\DEFAULT.HTM.VIR I'm pretty computer illiterate, so if I messed up anywhere tell me and please try to explain things to me a little simpler than you might otherwise, I don't want to get confused and cause harm to my computer doing something I should not have been doing because I didn't understand.
|
|
#2
April 20th, 2008, 09:44 PM
|
||||
|
||||
|
Welcome, Lets see what we can do here.
Download Combofix from the link below. You must rename it before saving it. Save it to your desktop. I suggest that you rename it to Combo-Fix.exe. >> Download ComboFix <<   -------------------------------------------------------------------- * Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" * Click on this http://www.bleepingcomputer.com/forums/topic114351.html]Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. * Remember to re enable the protection again afterwards. 2. Double click on Combo-Fix.exe & follow the prompts. * When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system. Notes: * Do not mouseclick combofix's window while it's running. That may cause it to stall * CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. Please stay by the machine as it runs, and if any errors occur please try and see what they are so we can pinpoint the problem.
__________________
O'Neill: "So, we basically saved your whole planet, right?" Chancellor: "Yes." O'Neill: "Are you, therefore, indebted to us in any modest way?" Chancellor: "I suppose that is the case." O'Neill: "So how 'bout the blueprints to build one of those ion cannons?" Chancellor: "You have been told our policy. That has not changed."
|
|
#3
April 21st, 2008, 07:32 AM
|
|||
|
|||
|
I ran combofix and it restarted my computer, I logged back on and combofix popped up telling me not to run any programs, but my computer runs programs on startup, what should I do?
here's the log: ComboFix 08-04-20.2 - User 2008-04-21 5:13:57.1 - NTFSx86 Running from: C:\Documents and Settings\User\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\conf.inf C:\WINDOWS\ky.sxc C:\WINDOWS\mscon.sio C:\WINDOWS\system32\duis.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_lanmandrv ((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 ))))))))))))))))))))))))))))))) . 2008-04-21 05:20 . 2008-04-21 05:20 5,941 --a------ C:\WINDOWS\system32\drivers\klmion.sys 2008-04-20 16:29 . 2008-04-20 16:29 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-20 16:28 . 2008-04-20 16:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-04-20 16:28 . 2008-04-20 16:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com 2008-04-20 16:28 . 2008-04-20 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-20 16:27 . 2008-04-20 16:27 <DIR> d-------- C:\Program Files\CCleaner 2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes 2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-20 01:26 . 2008-04-20 01:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-04-19 12:23 . 2008-04-20 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-04-19 12:22 . 2008-04-19 12:22 <DIR> d-------- C:\Program Files\Alwil Software 2008-04-19 12:18 . 2008-04-19 14:52 <DIR> d-------- C:\Program Files\CyberDefender 2008-04-17 23:30 . 2008-04-17 23:30 <DIR> d-------- C:\Program Files\Apple Software Update 2008-04-17 23:30 . 2008-04-17 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-04-16 23:41 . 2008-04-19 14:52 <DIR> d-------- C:\Program Files\Google 2008-04-16 17:25 . 2008-04-17 00:59 15,082,980 --a------ C:\WindowsXP-KB835935-SP2-ENU.exe 2008-04-16 09:05 . 2008-04-16 22:21 305 --a------ C:\WINDOWS\wininit.ini 2008-04-16 08:23 . 2008-04-20 17:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-16 08:23 . 2008-04-20 09:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-16 07:26 . 2008-04-16 07:26 <DIR> d-------- C:\Program Files\Lavasoft 2008-04-16 07:25 . 2008-04-16 07:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-16 05:17 . 2008-04-19 12:09 <DIR> d-------- C:\Program Files\Trojan Remover 2008-04-16 05:17 . 2008-04-16 05:17 <DIR> d-------- C:\Documents and Settings\User\Application Data\Simply Super Software 2008-04-16 05:17 . 2008-04-16 05:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2008-04-16 05:17 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2008-04-16 05:17 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2008-04-16 05:17 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2008-04-16 05:17 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2008-04-16 05:17 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2008-04-16 04:06 . 2008-04-16 04:06 <DIR> dr-h----- C:\$VAULT$.AVG 2008-04-16 02:38 . 2008-04-16 03:47 <DIR> d-------- C:\Program Files\VS Revo Group 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-04-15 01:51 . 2008-04-15 16:41 <DIR> d-------- C:\WINDOWS\NV8401428.TMP 2008-04-15 01:46 . 2006-02-28 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-04-15 01:46 . 2006-02-28 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-04-15 01:46 . 2006-02-28 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-04-15 01:46 . 2006-02-28 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-04-14 23:51 . 2008-04-16 04:48 <DIR> d-------- C:\Documents and Settings\Administrator 2008-04-14 23:51 . 2008-04-21 05:17 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG 2008-04-14 21:34 . 2008-04-14 21:52 <DIR> d-------- C:\WINDOWS\NV8401536.TMP 2008-04-14 21:19 . 2006-02-28 05:00 1,086,058 -ra------ C:\WINDOWS\SETDF.tmp 2008-04-14 21:19 . 2006-02-28 05:00 1,042,903 -ra------ C:\WINDOWS\SETDC.tmp 2008-04-14 21:19 . 2006-02-28 05:00 14,573 -ra------ C:\WINDOWS\SET126.tmp 2008-04-14 21:19 . 2006-02-28 05:00 13,753 -ra------ C:\WINDOWS\SETEB.tmp 2008-04-14 02:21 . 2008-04-16 03:31 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVG7 2008-04-14 02:21 . 2008-04-14 02:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-04-14 02:21 . 2008-04-16 04:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-04-14 01:36 . 2008-04-14 01:36 36,352 --a------ C:\WINDOWS\system32\fccddaBS.dll.vir 2008-04-14 01:36 . 2008-04-16 19:53 2 --a------ C:\207193443 2008-04-09 18:05 . 2008-04-09 19:27 <DIR> d-------- C:\Program Files\Gymnast 2008-04-09 18:05 . 2008-04-14 21:50 456,417 --a------ C:\WINDOWS\setupapi.old 2008-04-09 12:29 . 2008-04-09 12:29 <DIR> d-------- C:\Documents and Settings\User\Application Data\Switchball 2008-04-08 11:40 . 2008-04-08 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2008-04-07 21:37 . 2008-04-07 21:37 <DIR> d-------- C:\Program Files\OpenAL 2008-04-07 21:37 . 2008-04-07 21:37 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll 2008-04-07 21:37 . 2008-04-07 21:37 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2008-04-04 15:42 . 2008-04-04 15:42 <DIR> d-------- C:\Documents and Settings\User\Logs 2008-03-29 06:27 . 2008-04-16 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-03-29 06:26 . 2008-04-08 17:13 <DIR> d-------- C:\Program Files\Common Files\AOL 2008-03-29 06:26 . 2008-03-29 06:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-03-29 06:26 . 2008-03-29 06:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-03-29 06:26 . 2008-04-04 10:29 861 --ah----- C:\IPH.PH 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-03-28 18:33 . 2008-03-28 18:33 <DIR> d-------- C:\Logs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-20 23:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-19 21:41 --------- d-----w C:\Program Files\World of Warcraft 2008-04-19 21:39 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-19 21:39 --------- d-----w C:\Program Files\Ventrilo 2008-04-19 21:34 --------- d-----w C:\Program Files\The All-Seeing Eye 2008-04-19 21:33 --------- d-----w C:\Program Files\QuickTime 2008-04-19 21:33 --------- d-----w C:\Program Files\PowerISO 2008-04-19 21:24 --------- d-----w C:\Program Files\7-Zip 2008-04-19 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-16 14:25 --------- d-----w C:\Documents and Settings\User\Application Data\Lavasoft 2008-04-11 08:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-09 00:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-07 19:35 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-03-18 17:41 --------- d-----w C:\Program Files\Image-Line 2008-03-18 17:39 --------- d-----w C:\Program Files\VstPlugins 2008-03-14 04:53 --------- d-----w C:\Documents and Settings\User\Application Data\REAPER 2008-02-27 09:27 --------- d-----w C:\Program Files\Veoh Networks 2008-02-27 05:47 --------- d-----w C:\Program Files\Unity 2008-02-27 05:46 --------- d-----w C:\Program Files\Rainlendar2 2007-12-01 01:42 22,328 ----a-w C:\Documents and Settings\User\Application Data\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\valve\steam\steam.exe" [2008-04-09 10:35 1271032] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360] "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 18:08 749568] "BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-24 23:38 2196280] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1536000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-11 22:19 7626752] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "nwiz"="nwiz.exe" [2006-07-11 22:19 1576960 C:\WINDOWS\system32\nwiz.exe] "AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 12:43 389120] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048] "SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2936832 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-06-01 01:48 16265728 C:\WINDOWS\RTHDCPL.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-11 22:19 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcAPJdD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qxe41.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2006-02-28 05:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --------- 2005-07-08 07:25 1397760 C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-07-11 22:19 7626752 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2006-07-11 22:19 86016 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-07-11 22:19 1576960 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] C:\Program Files\Norton AntiVirus\osCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -r------- 2006-06-01 01:48 16265728 C:\WINDOWS\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] -r------- 2006-05-16 03:04 2936832 C:\WINDOWS\SkyTel.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\nwiz.exe"= "C:\\Combo-Fix\\NirCmd.cfexe"= "C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"= "C:\\DOCUME~1\\User\\LOCALS~1\\Temp\\3e291.exe"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N] \Shell\AutoRun\command - N:\Setup\rsrc\autorun.exe \Shell\dinstall\command - N:\Directx\dxsetup.exe . Contents of the 'Scheduled Tasks' folder "2008-04-18 14:58:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-03-26 05:07:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167110555.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-04-21 05:20:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\drivers\klmion.sys 5941 bytes executable scan completed successfully hidden files: 138 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\DOCUME~1\User\LOCALS~1\Temp\3e291.exe . ************************************************************************** . Completion time: 2008-04-21 5:24:25 - machine was rebooted [User] ComboFix-quarantined-files.txt 2008-04-21 12:24:21 Pre-Run: 139,532,812,288 bytes free Post-Run: 139,380,948,992 bytes free 230 --- E O F --- 2008-04-12 10:02:29
|
|
#4
April 21st, 2008, 08:58 AM
|
||||
|
||||
|
Lets do some more damage control.
* Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the Quote box below: Quote:
* Save this as CFScript.txt and place it on your desktop.  * Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. * ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. * When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. With a new HJT log CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
|
|
#5
April 21st, 2008, 09:16 AM
|
|||
|
|||
|
It did not produce a log for me. It finished, logged me out, and then when I logged back in nothing happened, no log, nothing.
I'll try it again.
|
|
#7
April 21st, 2008, 09:27 AM
|
|||
|
|||
|
Okay, it worked this time.
Here's the log: ComboFix 08-04-20.2 - User 2008-04-21 7:18:30.3 - NTFSx86 Running from: C:\Documents and Settings\User\Desktop\ComboFix1.exe Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\\DOCUME~1\\User\\LOCALS~1\\Temp\\3e291.exe C:\207193443 C:\DOCUME~1\User\LOCALS~1\Temp\3e291.exe C:\WINDOWS\NV8401536.TMP C:\WINDOWS\SET126.tmp C:\WINDOWS\SETDC.tmp C:\WINDOWS\SETDF.tmp C:\WINDOWS\SETEB.tmp C:\WINDOWS\system32\drivers\klmion.sys C:\WINDOWS\system32\fccddaBS.dll.vir N:\Directx\dxsetup.exe N:\Setup\rsrc\autorun.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\\DOCUME~1\\User\\LOCALS~1\\Temp\\3e291.exe C:\207193443 C:\DOCUME~1\User\LOCALS~1\Temp\3e291.exe C:\WINDOWS\SET126.tmp C:\WINDOWS\SETDC.tmp C:\WINDOWS\SETDF.tmp C:\WINDOWS\SETEB.tmp C:\WINDOWS\system32\fccddaBS.dll.vir . ((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 ))))))))))))))))))))))))))))))) . 2008-04-21 07:07 . 2008-04-21 07:08 <DIR> d-------- C:\Combo-Fix 2008-04-20 16:29 . 2008-04-20 16:29 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-20 16:28 . 2008-04-20 16:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-04-20 16:28 . 2008-04-20 16:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com 2008-04-20 16:28 . 2008-04-20 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-20 16:27 . 2008-04-21 06:43 <DIR> d-------- C:\Program Files\CCleaner 2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes 2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-20 01:26 . 2008-04-20 01:26 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-04-19 12:23 . 2008-04-20 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-04-19 12:22 . 2008-04-19 12:22 <DIR> d-------- C:\Program Files\Alwil Software 2008-04-19 12:18 . 2008-04-19 14:52 <DIR> d-------- C:\Program Files\CyberDefender 2008-04-17 23:30 . 2008-04-17 23:30 <DIR> d-------- C:\Program Files\Apple Software Update 2008-04-17 23:30 . 2008-04-17 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-04-16 23:41 . 2008-04-19 14:52 <DIR> d-------- C:\Program Files\Google 2008-04-16 17:25 . 2008-04-17 00:59 15,082,980 --a------ C:\WindowsXP-KB835935-SP2-ENU.exe 2008-04-16 09:05 . 2008-04-16 22:21 305 --a------ C:\WINDOWS\wininit.ini 2008-04-16 08:23 . 2008-04-20 17:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-16 08:23 . 2008-04-20 09:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-16 07:26 . 2008-04-16 07:26 <DIR> d-------- C:\Program Files\Lavasoft 2008-04-16 07:25 . 2008-04-16 07:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-16 05:17 . 2008-04-19 12:09 <DIR> d-------- C:\Program Files\Trojan Remover 2008-04-16 05:17 . 2008-04-16 05:17 <DIR> d-------- C:\Documents and Settings\User\Application Data\Simply Super Software 2008-04-16 05:17 . 2008-04-16 05:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2008-04-16 05:17 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2008-04-16 05:17 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2008-04-16 05:17 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2008-04-16 05:17 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2008-04-16 05:17 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2008-04-16 04:06 . 2008-04-16 04:06 <DIR> dr-h----- C:\$VAULT$.AVG 2008-04-16 02:38 . 2008-04-16 03:47 <DIR> d-------- C:\Program Files\VS Revo Group 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-04-15 16:34 . 2008-04-15 16:34 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-04-15 01:51 . 2008-04-15 16:41 <DIR> d-------- C:\WINDOWS\NV8401428.TMP 2008-04-15 01:46 . 2006-02-28 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-04-15 01:46 . 2006-02-28 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-04-15 01:46 . 2006-02-28 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-04-15 01:46 . 2006-02-28 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-04-14 23:51 . 2008-04-16 04:48 <DIR> d-------- C:\Documents and Settings\Administrator 2008-04-14 23:51 . 2008-04-21 05:17 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG 2008-04-14 21:34 . 2008-04-14 21:52 <DIR> d-------- C:\WINDOWS\NV8401536.TMP 2008-04-14 02:21 . 2008-04-16 03:31 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVG7 2008-04-14 02:21 . 2008-04-14 02:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-04-14 02:21 . 2008-04-16 04:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-04-09 18:05 . 2008-04-09 19:27 <DIR> d-------- C:\Program Files\Gymnast 2008-04-09 18:05 . 2008-04-14 21:50 456,417 --a------ C:\WINDOWS\setupapi.old 2008-04-09 12:29 . 2008-04-09 12:29 <DIR> d-------- C:\Documents and Settings\User\Application Data\Switchball 2008-04-08 11:40 . 2008-04-08 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2008-04-07 21:37 . 2008-04-07 21:37 <DIR> d-------- C:\Program Files\OpenAL 2008-04-07 21:37 . 2008-04-07 21:37 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll 2008-04-07 21:37 . 2008-04-07 21:37 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2008-04-04 15:42 . 2008-04-04 15:42 <DIR> d-------- C:\Documents and Settings\User\Logs 2008-03-29 06:27 . 2008-04-16 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-03-29 06:26 . 2008-04-08 17:13 <DIR> d-------- C:\Program Files\Common Files\AOL 2008-03-29 06:26 . 2008-03-29 06:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-03-29 06:26 . 2008-03-29 06:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-03-29 06:26 . 2008-04-04 10:29 861 --ah----- C:\IPH.PH 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-03-28 18:33 . 2008-03-28 18:33 <DIR> d-------- C:\Logs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-20 23:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-19 21:41 --------- d-----w C:\Program Files\World of Warcraft 2008-04-19 21:39 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-19 21:39 --------- d-----w C:\Program Files\Ventrilo 2008-04-19 21:34 --------- d-----w C:\Program Files\The All-Seeing Eye 2008-04-19 21:33 --------- d-----w C:\Program Files\QuickTime 2008-04-19 21:33 --------- d-----w C:\Program Files\PowerISO 2008-04-19 21:24 --------- d-----w C:\Program Files\7-Zip 2008-04-19 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-16 14:25 --------- d-----w C:\Documents and Settings\User\Application Data\Lavasoft 2008-04-11 08:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-09 00:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-08 07:11 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll 2008-04-07 19:35 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-04-07 19:35 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-03-18 17:41 --------- d-----w C:\Program Files\Image-Line 2008-03-18 17:39 --------- d-----w C:\Program Files\VstPlugins 2008-03-14 04:53 --------- d-----w C:\Documents and Settings\User\Application Data\REAPER 2008-02-27 09:27 --------- d-----w C:\Program Files\Veoh Networks 2008-02-27 05:47 --------- d-----w C:\Program Files\Unity 2008-02-27 05:46 --------- d-----w C:\Program Files\Rainlendar2 2007-12-01 01:42 22,328 ----a-w C:\Documents and Settings\User\Application Data\PnkBstrK.sys . ((((((((((((((((((((((((((((( snapshot@2008-04-21_ 5.24.01.18 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-21 12:17:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-21 14:12:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-21 14:12:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_634.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\valve\steam\steam.exe" [2008-04-09 10:35 1271032] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360] "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 18:08 749568] "BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-24 23:38 2196280] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1536000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-11 22:19 7626752] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "nwiz"="nwiz.exe" [2006-07-11 22:19 1576960 C:\WINDOWS\system32\nwiz.exe] "AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 12:43 389120] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048] "SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2936832 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-06-01 01:48 16265728 C:\WINDOWS\RTHDCPL.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-11 22:19 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qxe41.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2006-02-28 05:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --------- 2005-07-08 07:25 1397760 C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-07-11 22:19 7626752 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2006-07-11 22:19 86016 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-07-11 22:19 1576960 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] C:\Program Files\Norton AntiVirus\osCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -r------- 2006-06-01 01:48 16265728 C:\WINDOWS\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] -r------- 2006-05-16 03:04 2936832 C:\WINDOWS\SkyTel.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\nwiz.exe"= "C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\WINDOWS\\SkyTel.EXE"= "C:\\WINDOWS\\RTHDCPL.EXE"= *Newly Created Service* - catchme . Contents of the 'Scheduled Tasks' folder "2008-04-18 14:58:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-03-26 05:07:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167110555.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-04-21 07:20:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 137 ************************************************************************** . Completion time: 2008-04-21 7:21:35 ComboFix-quarantined-files.txt 2008-04-21 14:21:28 ComboFix2.txt 2008-04-21 12:24:25 Pre-Run: 139,150,000,128 bytes free Post-Run: 139,137,941,504 bytes free 232 --- E O F --- 2008-04-12 10:02:29
|
|
# |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
