Jump to content


Photo

Keylogger - mbam and HijackThis Log


  • This topic is locked This topic is locked
17 replies to this topic

#1 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 July 2009 - 05:04 PM

I had key logger in my computer, i think i already removed him, but still can't be sure

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:57:43, on 03/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
F:\Program files\Returnil\Returnil.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Rvsystem] "F:\Program files\Returnil\Returnil.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "F:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] F:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize
O4 - HKCU\..\Run: [UberIcon] "F:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [TrueTransparency] "C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX02.047\חלונות שקופים\TrueTransparency סקין זכוכית ללא התקנה\TrueTransparency.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: ImageMixer 3 SE Camera Monitor for SD.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co....sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi....?1229453344875
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co....sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi....?1229453304953
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon....t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m....nt/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe
--
End of file - 11327 bytes







and mbam-log:

Malwarebytes' Anti-Malware 1.38
Database version: 2365
Windows 5.1.2600 Service Pack 3
03/07/2009 02:59:30
mbam-log-2009-07-03 (02-59-30).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 187850
Time elapsed: 34 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)




I really really thanks you.

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 06 July 2009 - 08:05 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nothing suspicious was found on your log.
Just clean these empty items.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)


Click on Fix Checked when finished and exit HijackThis.
Restart the computer normally.

Delete this folder in bold if found.
C:\Program Files\AskTBar\
===

Lets check further.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2009 - 02:06 PM

Hey Nasdaq, thanks for the reply.

Here is the Combofix log:

ComboFix 09-07-05.04 - Admin 07/06/2009 21:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2045.1346 [GMT 3:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\Installer\10790.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-04 23:21 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-04 23:21 . 2009-04-03 08:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-04 23:21 . 2008-12-18 09:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-04 23:21 . 2009-07-04 23:23 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-04 23:21 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-07-02 23:23 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 23:23 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 23:18 . 2009-07-02 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-27 21:56 . 2009-06-27 21:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-27 21:45 . 2009-06-27 21:45 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 21:45 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-27 21:45 . 2009-06-27 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-27 21:45 . 2009-06-27 21:45 -------- d-----w- c:\program files\Lavasoft
2009-06-22 22:34 . 2009-06-22 22:34 22272 ----a-w- c:\windows\system32\drivers\RVFsSec.sys
2009-06-22 22:34 . 2009-06-22 22:34 39424 ----a-w- c:\windows\system32\drivers\RVSystem.sys
2009-06-22 22:33 . 2009-06-22 22:35 -------- d--h--w- C:\RETURNIL
2009-06-21 10:21 . 2009-06-21 10:21 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Blizzard Entertainment
2009-06-14 20:29 . 2006-12-14 07:00 110592 ----a-w- c:\documents and settings\Admin\Application Data\U3\temp\cleanup.exe
2009-06-14 20:26 . 2007-02-12 14:46 3096576 ---ha-w- c:\documents and settings\Admin\Application Data\U3\temp\Launchpad Removal.exe
2009-06-14 20:26 . 2009-06-16 14:14 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2009-06-14 06:56 . 2009-06-14 06:56 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ESET
2009-06-14 05:51 . 2009-06-14 21:37 -------- d-----w- c:\windows\LastGood
2009-06-13 22:04 . 2009-06-13 22:04 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-13 10:41 . 2009-06-14 06:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-06-12 20:35 . 2009-06-13 22:03 -------- d-----w- c:\windows\LastGood.Tmp
2009-06-12 20:07 . 2008-01-07 11:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-06-12 20:06 . 2009-06-12 20:06 -------- d-----w- c:\documents and settings\Admin\Application Data\ESET
2009-06-12 20:06 . 2009-06-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-11 11:26 . 2009-06-11 11:26 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-11 10:46 . 2009-06-11 10:46 -------- d-----w- c:\documents and settings\Admin\Application Data\URSoft
2009-06-11 10:46 . 2009-07-06 18:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-11 10:39 . 2009-06-11 10:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 18:56 . 2008-10-22 00:38 -------- d-----w- c:\documents and settings\Admin\Application Data\DNA
2009-07-06 18:46 . 2008-10-22 00:38 -------- d-----w- c:\program files\DNA
2009-07-06 11:27 . 2007-11-22 15:40 -------- d-----w- c:\program files\ESET
2009-07-06 00:21 . 2008-07-12 00:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2009-07-05 21:08 . 2008-07-12 00:32 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2009-06-27 21:49 . 2009-06-27 21:49 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-27 21:49 . 2009-06-27 21:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-27 21:49 . 2009-06-27 21:49 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-22 19:10 . 2009-03-25 08:48 -------- d-----w- c:\program files\World of Warcraft
2009-06-13 10:45 . 2008-06-29 14:39 -------- d-----w- c:\program files\VentSrv
2009-06-13 10:45 . 2009-03-11 14:35 -------- d-----w- c:\program files\QuickTime
2009-06-13 10:44 . 2008-10-13 14:58 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-13 10:44 . 2008-01-23 12:24 -------- d-----w- c:\program files\ICQToolbar
2009-06-13 10:44 . 2004-08-03 21:14 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-13 10:41 . 2009-06-13 10:41 0 ----a-w- c:\windows\system32\C053.tmp
2009-06-13 10:41 . 2009-06-13 10:41 80 ----a-w- c:\windows\system32\C042.tmp
2009-06-12 20:27 . 2008-10-13 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 13:45 . 2008-06-29 14:47 -------- d-----w- c:\program files\Ventrilo
2009-06-09 12:12 . 2007-11-26 14:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-02 15:28 . 2008-07-17 02:08 -------- d-----w- c:\program files\PokerStars
2009-06-01 12:10 . 2008-05-30 10:16 -------- d-----w- c:\documents and settings\Admin\Application Data\Ventrilo
2009-06-01 12:07 . 2008-06-29 14:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 15:49 . 2007-11-22 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 15:40 . 2008-07-11 23:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Hamachi
2009-05-25 08:51 . 2007-11-23 13:41 101968 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-25 07:47 . 2009-05-25 07:47 -------- d-----w- c:\program files\eRightSoft
2009-05-24 16:42 . 2009-05-24 16:42 -------- d-----w- c:\program files\Microsoft Works
2009-05-24 16:42 . 2007-11-23 07:02 -------- d-----w- c:\program files\MSBuild
2009-05-23 09:18 . 2007-11-23 07:02 1528840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-12 19:58 . 2009-05-12 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-12 19:57 . 2009-05-12 19:57 -------- d-----w- c:\documents and settings\Admin\Application Data\Nokia
2009-05-12 17:41 . 2009-05-12 17:13 -------- d-----w- c:\program files\Nokia
2009-05-12 17:41 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-12 17:34 . 2009-05-12 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2009-05-12 17:31 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\muvee Technologies
2006-05-03 10:06 . 2009-05-25 07:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-05-25 07:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-05-25 07:50 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2004-08-03 21:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-06-13 10:44 212224 87090A87841A6DE2F46BDCDD9321E3B7 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-07 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"DAEMON Tools Pro Agent"="f:\program files\DAEMON Tools Pro\DTProAgent.exe" [2008-10-09 200136]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"Rvsystem"="f:\program files\Returnil\Returnil.exe" [2009-06-22 2304000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-04 520024]
"ISTray"="f:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - f:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
ImageMixer 3 SE Camera Monitor for SD.lnk - f:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-4-11 253952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"f:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"f:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymedia.exe"=
"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymediaserver.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [28/06/2009 00:49 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [05/07/2009 02:21 130936]
R0 RVFsSec;RVFsSec;c:\windows\system32\drivers\RVFsSec.sys [23/06/2009 01:34 22272]
R0 RVSystem;RVSystem;c:\windows\system32\drivers\RVSystem.sys [23/06/2009 01:34 39424]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 13:27 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 08:21 468224]
R2 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [05/07/2009 02:21 348752]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 22:06 1029456]
S2 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 --> c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:49]

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Systweak Wallpaper Changer - f:\program files\Advanced System Optimizer\wallpaper.exe
HKCU-Run-UberIcon - f:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe


.
------- Supplementary Scan -------
.
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\5uhgdi40.default\
FF - prefs.js: browser.startup.homepage - hxxp://il.msn.com/
FF - plugin: f:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\program files\DivX\DivX Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 21:58
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:ec,a4,f1,91,46,2d,f5,09,a4,9d,b4,fd,a0,c0,a9,c1,5a,4f,99,4d,67,
67,5b,23,be,fa,16,30,a7,5a,c8,a7,23,2f,9e,b8,d6,e4,cb,3d,b4,0b,eb,e9,20,b3,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
Completion time: 2009-07-06 22:00
ComboFix-quarantined-files.txt 2009-07-06 19:00

Pre-Run: 6,332,686,336 bytes free
Post-Run: 7,813,783,552 bytes free

273 --- E O F --- 2009-02-07 20:55





And here is the new HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:05:34, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
f:\Program Files\Spyware Doctor\pctsAuxs.exe
f:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Rvsystem] "F:\Program files\Returnil\Returnil.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISTray] "f:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "F:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: ImageMixer 3 SE Camera Monitor for SD.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1229453344875
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1229453304953
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - f:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe

--
End of file - 10848 bytes




Really thanks you Nasdaq!

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 07 July 2009 - 08:48 AM

Looking good but I want to check this file in bold.

c:\windows\system32\drivers\ndis.sys

Please submit the file in bold to the following link for a scan, then post the results in your next message for me to see.
http://virusscan.jotti.org/
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 07 July 2009 - 10:37 AM

Hey nasdaq, thanks for reply.

The file " Ndis" was empy. so i tried the file "Ndis(2)"

and here is the results:


Filename: ndis.sys
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Wed 24 Jun 2009 15:09:10 (CET) Permalink

if that what you meant,
if not i took as Screenshot of the page. so if u need it tell me in the next reply

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 08 July 2009 - 08:11 AM

The file " Ndis" was empy. so i tried the file "Ndis(2)"


Look at the properties of this Ndis(2).sys file and let me know if it\s from Microsoft and include the size of the file.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2009 - 11:39 AM

The file " Ndis" was empy. so i tried the file "Ndis(2)"


Look at the properties of this Ndis(2).sys file and let me know if it\s from Microsoft and include the size of the file.




Yeah it is from Microsoft

Copyright: Microsoft Corporation. All rights reserved.

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 08 July 2009 - 12:20 PM

Please what is the file size (bytes)
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2009 - 01:09 PM

178 KB (182,656 bytes)

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 08 July 2009 - 03:31 PM

See post no 3.

[7] 2004-08-03 21:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-06-13 10:44 212224 87090A87841A6DE2F46BDCDD9321E3B7 c:\windows\system32\drivers\ndis.sys


The malware inserted a bad ndis.sys file in to your system.

You may have to do this in Safe Mode.

Delete this file in bold.
c:\windows\system32\drivers\ndis.sys

Rename this file

c:\windows\system32\drivers\ndis(2).sys

to
c:\windows\system32\drivers\ndis.sys

Restart the computer.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2009 - 03:59 PM

See post no 3.

[7] 2004-08-03 21:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-06-13 10:44 212224 87090A87841A6DE2F46BDCDD9321E3B7 c:\windows\system32\drivers\ndis.sys


The malware inserted a bad ndis.sys file in to your system.

You may have to do this in Safe Mode.

Delete this file in bold.
c:\windows\system32\drivers\ndis.sys

Rename this file

c:\windows\system32\drivers\ndis(2).sys

to
c:\windows\system32\drivers\ndis.sys

Restart the computer.

Let me know what problem persists.



I cannot Delete " Ndis" from System32/drivers...
the file is probably currently in use.
and i used Safe mode.

Nasdaq. is it keylogger?
please answer fast. my credit card may be in a danger.

Edited by strikex, 08 July 2009 - 04:04 PM.


#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 09 July 2009 - 08:04 AM

Nothing else but that file was bad on your log.
Possibly left over after you cleaned the virus.
Alone I do not think it's a keylogger.

Open notepad and copy/paste the text in the quote box below into it:

KillAll::

FCOPY::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys


Save this as CFScript on your desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 09 July 2009 - 08:48 AM

Nothing else but that file was bad on your log.
Possibly left over after you cleaned the virus.
Alone I do not think it's a keylogger.

Open notepad and copy/paste the text in the quote box below into it:

KillAll::

FCOPY::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys


Save this as CFScript on your desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.



here is the log:


ComboFix 09-07-08.07 - Admin 07/09/2009 16:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2045.1369 [GMT 3:00]
Running from: c:\documents and settings\Admin\Desktop\Anti\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-04 23:21 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-04 23:21 . 2009-04-03 08:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-04 23:21 . 2008-12-18 09:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-04 23:21 . 2009-07-04 23:23 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-04 23:21 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-07-02 23:23 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 23:23 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 23:18 . 2009-07-02 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-27 21:45 . 2009-07-07 15:57 -------- d-----w- c:\program files\Lavasoft
2009-06-27 21:45 . 2009-07-07 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-22 22:34 . 2009-06-22 22:34 22272 ----a-w- c:\windows\system32\drivers\RVFsSec.sys
2009-06-22 22:34 . 2009-06-22 22:34 39424 ----a-w- c:\windows\system32\drivers\RVSystem.sys
2009-06-22 22:33 . 2009-06-22 22:35 -------- d--h--w- C:\RETURNIL
2009-06-21 10:21 . 2009-06-21 10:21 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Blizzard Entertainment
2009-06-14 20:29 . 2006-12-14 07:00 110592 ----a-w- c:\documents and settings\Admin\Application Data\U3\temp\cleanup.exe
2009-06-14 20:26 . 2007-02-12 14:46 3096576 ---ha-w- c:\documents and settings\Admin\Application Data\U3\temp\Launchpad Removal.exe
2009-06-14 20:26 . 2009-06-16 14:14 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2009-06-14 06:56 . 2009-06-14 06:56 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ESET
2009-06-14 05:51 . 2009-06-14 21:37 -------- d-----w- c:\windows\LastGood
2009-06-13 22:04 . 2009-06-13 22:04 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-13 10:41 . 2009-06-14 06:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-06-12 20:07 . 2008-01-07 11:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-06-12 20:06 . 2009-06-12 20:06 -------- d-----w- c:\documents and settings\Admin\Application Data\ESET
2009-06-12 20:06 . 2009-06-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-11 11:26 . 2009-06-11 11:26 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-11 10:46 . 2009-06-11 10:46 -------- d-----w- c:\documents and settings\Admin\Application Data\URSoft
2009-06-11 10:46 . 2009-07-09 13:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-11 10:39 . 2009-06-11 10:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 13:42 . 2008-10-22 00:38 -------- d-----w- c:\program files\DNA
2009-07-09 13:42 . 2008-10-22 00:38 -------- d-----w- c:\documents and settings\Admin\Application Data\DNA
2009-07-06 11:27 . 2007-11-22 15:40 -------- d-----w- c:\program files\ESET
2009-07-06 00:21 . 2008-07-12 00:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2009-07-05 21:08 . 2008-07-12 00:32 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2009-06-22 19:10 . 2009-03-25 08:48 -------- d-----w- c:\program files\World of Warcraft
2009-06-13 10:45 . 2008-06-29 14:39 -------- d-----w- c:\program files\VentSrv
2009-06-13 10:45 . 2009-03-11 14:35 -------- d-----w- c:\program files\QuickTime
2009-06-13 10:44 . 2008-10-13 14:58 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-13 10:44 . 2008-01-23 12:24 -------- d-----w- c:\program files\ICQToolbar
2009-06-13 10:41 . 2009-06-13 10:41 0 ----a-w- c:\windows\system32\C053.tmp
2009-06-13 10:41 . 2009-06-13 10:41 80 ----a-w- c:\windows\system32\C042.tmp
2009-06-12 20:27 . 2008-10-13 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 13:45 . 2008-06-29 14:47 -------- d-----w- c:\program files\Ventrilo
2009-06-09 12:12 . 2007-11-26 14:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-02 15:28 . 2008-07-17 02:08 -------- d-----w- c:\program files\PokerStars
2009-06-01 12:10 . 2008-05-30 10:16 -------- d-----w- c:\documents and settings\Admin\Application Data\Ventrilo
2009-06-01 12:07 . 2008-06-29 14:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 15:49 . 2007-11-22 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 15:40 . 2008-07-11 23:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Hamachi
2009-05-25 08:51 . 2007-11-23 13:41 101968 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-25 07:47 . 2009-05-25 07:47 -------- d-----w- c:\program files\eRightSoft
2009-05-24 16:42 . 2009-05-24 16:42 -------- d-----w- c:\program files\Microsoft Works
2009-05-24 16:42 . 2007-11-23 07:02 -------- d-----w- c:\program files\MSBuild
2009-05-23 09:18 . 2007-11-23 07:02 1528840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-12 19:58 . 2009-05-12 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-12 19:57 . 2009-05-12 19:57 -------- d-----w- c:\documents and settings\Admin\Application Data\Nokia
2009-05-12 17:41 . 2009-05-12 17:13 -------- d-----w- c:\program files\Nokia
2009-05-12 17:41 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-12 17:34 . 2009-05-12 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2009-05-12 17:31 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\muvee Technologies
2006-05-03 10:06 . 2009-05-25 07:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-05-25 07:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-05-25 07:50 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-07 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"DAEMON Tools Pro Agent"="f:\program files\DAEMON Tools Pro\DTProAgent.exe" [2008-10-09 200136]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"Rvsystem"="f:\program files\Returnil\Returnil.exe" [2009-06-22 2304000]
"ISTray"="f:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - f:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
ImageMixer 3 SE Camera Monitor for SD.lnk - f:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-4-11 253952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"f:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"f:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymedia.exe"=
"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymediaserver.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [05/07/2009 02:21 130936]
R0 RVFsSec;RVFsSec;c:\windows\system32\drivers\RVFsSec.sys [23/06/2009 01:34 22272]
R0 RVSystem;RVSystem;c:\windows\system32\drivers\RVSystem.sys [23/06/2009 01:34 39424]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 13:27 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 08:21 468224]
R2 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [05/07/2009 02:21 348752]
S2 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 --> c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Supplementary Scan -------
.
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\5uhgdi40.default\
FF - prefs.js: browser.startup.homepage - hxxp://il.msn.com/
FF - plugin: f:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\program files\DivX\DivX Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 16:41
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:ec,a4,f1,91,46,2d,f5,09,a4,9d,b4,fd,a0,c0,a9,c1,5a,4f,99,4d,67,
67,5b,23,be,fa,16,30,a7,5a,c8,a7,23,2f,9e,b8,d6,e4,cb,3d,b4,0b,eb,e9,20,b3,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(992)
f:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
f:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-07-09 16:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 13:47
ComboFix2.txt 2009-07-06 19:01

Pre-Run: 7,753,506,816 bytes free
Post-Run: 7,892,389,888 bytes free

275 --- E O F --- 2009-02-07 20:55


somthing i noticed: Now i got both Ndis and Ndis(2) and they look like the have the same size

Edited by strikex, 09 July 2009 - 08:50 AM.


#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 09 July 2009 - 09:32 AM

You can now delete Ndis(2) .sys

Any remaining problems?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 09 July 2009 - 09:49 AM

You can now delete Ndis(2) .sys

Any remaining problems?


dosnt looks like any problems, i just deleted it :p

#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 09 July 2009 - 01:19 PM

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
===

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 strikex

strikex

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 09 July 2009 - 06:41 PM

Nasdaq, you really helped me.
I really really thank you. really, so much :)
god bless you ;)

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 23 July 2009 - 07:46 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button