• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
strikex

Keylogger - mbam and HijackThis Log

18 posts in this topic

I had key logger in my computer, i think i already removed him, but still can't be sure

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:57:43, on 03/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

F:\Program files\Returnil\Returnil.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

F:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles

O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Rvsystem] "F:\Program files\Returnil\Returnil.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "F:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun

O4 - HKCU\..\Run: [systweak Wallpaper Changer] F:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize

O4 - HKCU\..\Run: [uberIcon] "F:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe"

O4 - HKCU\..\Run: [TrueTransparency] "C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX02.047\חלונות שקופים\TrueTransparency סקין זכוכית ללא התקנה\TrueTransparency.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: ImageMixer 3 SE Camera Monitor for SD.lnk = ?

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)

O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1229453344875

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229453304953

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe

--

End of file - 11327 bytes

 

 

 

 

 

 

 

and mbam-log:

 

Malwarebytes' Anti-Malware 1.38

Database version: 2365

Windows 5.1.2600 Service Pack 3

03/07/2009 02:59:30

mbam-log-2009-07-03 (02-59-30).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 187850

Time elapsed: 34 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

 

 

 

 

I really really thanks you.

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Nothing suspicious was found on your log.

Just clean these empty items.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.

 

Delete this folder in bold if found.

C:\Program Files\AskTBar\

===

 

Lets check further.

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

Link 3

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
  • Double click on ComboFix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

Share this post


Link to post
Share on other sites

Hey Nasdaq, thanks for the reply.

 

Here is the Combofix log:

 

ComboFix 09-07-05.04 - Admin 07/06/2009 21:53.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2045.1346 [GMT 3:00]

Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\desktop.ini

c:\documents and settings\Admin\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

c:\windows\Installer\10790.msi

 

.

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))

.

 

2009-07-04 23:21 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-04 23:21 . 2009-04-03 08:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-04 23:21 . 2008-12-18 09:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-04 23:21 . 2009-07-04 23:23 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-04 23:21 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools

2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes

2009-07-02 23:23 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-02 23:23 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-02 23:18 . 2009-07-02 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-27 21:56 . 2009-06-27 21:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-06-27 21:45 . 2009-06-27 21:45 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-06-27 21:45 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-06-27 21:45 . 2009-06-27 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-27 21:45 . 2009-06-27 21:45 -------- d-----w- c:\program files\Lavasoft

2009-06-22 22:34 . 2009-06-22 22:34 22272 ----a-w- c:\windows\system32\drivers\RVFsSec.sys

2009-06-22 22:34 . 2009-06-22 22:34 39424 ----a-w- c:\windows\system32\drivers\RVSystem.sys

2009-06-22 22:33 . 2009-06-22 22:35 -------- d--h--w- C:\RETURNIL

2009-06-21 10:21 . 2009-06-21 10:21 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Blizzard Entertainment

2009-06-14 20:29 . 2006-12-14 07:00 110592 ----a-w- c:\documents and settings\Admin\Application Data\U3\temp\cleanup.exe

2009-06-14 20:26 . 2007-02-12 14:46 3096576 ---ha-w- c:\documents and settings\Admin\Application Data\U3\temp\Launchpad Removal.exe

2009-06-14 20:26 . 2009-06-16 14:14 -------- d-----w- c:\documents and settings\Admin\Application Data\U3

2009-06-14 06:56 . 2009-06-14 06:56 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ESET

2009-06-14 05:51 . 2009-06-14 21:37 -------- d-----w- c:\windows\LastGood

2009-06-13 22:04 . 2009-06-13 22:04 -------- d-----w- c:\windows\system32\wbem\Repository

2009-06-13 10:41 . 2009-06-14 06:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2009-06-12 20:35 . 2009-06-13 22:03 -------- d-----w- c:\windows\LastGood.Tmp

2009-06-12 20:07 . 2008-01-07 11:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg

2009-06-12 20:06 . 2009-06-12 20:06 -------- d-----w- c:\documents and settings\Admin\Application Data\ESET

2009-06-12 20:06 . 2009-06-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2009-06-11 11:26 . 2009-06-11 11:26 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-06-11 10:46 . 2009-06-11 10:46 -------- d-----w- c:\documents and settings\Admin\Application Data\URSoft

2009-06-11 10:46 . 2009-07-06 18:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-11 10:39 . 2009-06-11 10:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PCHealth

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-06 18:56 . 2008-10-22 00:38 -------- d-----w- c:\documents and settings\Admin\Application Data\DNA

2009-07-06 18:46 . 2008-10-22 00:38 -------- d-----w- c:\program files\DNA

2009-07-06 11:27 . 2007-11-22 15:40 -------- d-----w- c:\program files\ESET

2009-07-06 00:21 . 2008-07-12 00:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype

2009-07-05 21:08 . 2008-07-12 00:32 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM

2009-06-27 21:49 . 2009-06-27 21:49 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-06-27 21:49 . 2009-06-27 21:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-06-27 21:49 . 2009-06-27 21:49 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-06-22 19:10 . 2009-03-25 08:48 -------- d-----w- c:\program files\World of Warcraft

2009-06-13 10:45 . 2008-06-29 14:39 -------- d-----w- c:\program files\VentSrv

2009-06-13 10:45 . 2009-03-11 14:35 -------- d-----w- c:\program files\QuickTime

2009-06-13 10:44 . 2008-10-13 14:58 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-06-13 10:44 . 2008-01-23 12:24 -------- d-----w- c:\program files\ICQToolbar

2009-06-13 10:44 . 2004-08-03 21:14 212224 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-06-13 10:41 . 2009-06-13 10:41 0 ----a-w- c:\windows\system32\C053.tmp

2009-06-13 10:41 . 2009-06-13 10:41 80 ----a-w- c:\windows\system32\C042.tmp

2009-06-12 20:27 . 2008-10-13 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-09 13:45 . 2008-06-29 14:47 -------- d-----w- c:\program files\Ventrilo

2009-06-09 12:12 . 2007-11-26 14:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-06-02 15:28 . 2008-07-17 02:08 -------- d-----w- c:\program files\PokerStars

2009-06-01 12:10 . 2008-05-30 10:16 -------- d-----w- c:\documents and settings\Admin\Application Data\Ventrilo

2009-06-01 12:07 . 2008-06-29 14:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-28 15:49 . 2007-11-22 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-05-28 15:40 . 2008-07-11 23:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Hamachi

2009-05-25 08:51 . 2007-11-23 13:41 101968 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w- c:\program files\AviSynth 2.5

2009-05-25 07:47 . 2009-05-25 07:47 -------- d-----w- c:\program files\eRightSoft

2009-05-24 16:42 . 2009-05-24 16:42 -------- d-----w- c:\program files\Microsoft Works

2009-05-24 16:42 . 2007-11-23 07:02 -------- d-----w- c:\program files\MSBuild

2009-05-23 09:18 . 2007-11-23 07:02 1528840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-12 19:58 . 2009-05-12 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia

2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf

2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2009-05-12 19:57 . 2009-05-12 19:57 -------- d-----w- c:\documents and settings\Admin\Application Data\Nokia

2009-05-12 17:41 . 2009-05-12 17:13 -------- d-----w- c:\program files\Nokia

2009-05-12 17:41 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\Nokia

2009-05-12 17:34 . 2009-05-12 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic

2009-05-12 17:31 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\muvee Technologies

2006-05-03 10:06 . 2009-05-25 07:50 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2009-05-25 07:50 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-05-25 07:50 216064 --sh--r- c:\windows\system32\nbDX.dll

.

 

------- Sigcheck -------

 

[7] 2004-08-03 21:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2009-06-13 10:44 212224 87090A87841A6DE2F46BDCDD9321E3B7 c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-07 68856]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

"DAEMON Tools Pro Agent"="f:\program files\DAEMON Tools Pro\DTProAgent.exe" [2008-10-09 200136]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]

"Rvsystem"="f:\program files\Returnil\Returnil.exe" [2009-06-22 2304000]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-04 520024]

"ISTray"="f:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

 

c:\documents and settings\Admin\Start Menu\Programs\Startup\

SpywareGuard.lnk - f:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp psc 1000 series.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]

hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

ImageMixer 3 SE Camera Monitor for SD.lnk - f:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-4-11 253952]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Tortun\\gui.exe"=

"c:\\Program Files\\World of Warcraft\\Repair.exe"=

"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"c:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"f:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"f:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"f:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymedia.exe"=

"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymediaserver.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [28/06/2009 00:49 64160]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [05/07/2009 02:21 130936]

R0 RVFsSec;RVFsSec;c:\windows\system32\drivers\RVFsSec.sys [23/06/2009 01:34 22272]

R0 RVSystem;RVSystem;c:\windows\system32\drivers\RVSystem.sys [23/06/2009 01:34 39424]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 13:27 34312]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 08:21 468224]

R2 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [05/07/2009 02:21 348752]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 22:06 1029456]

S2 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 --> c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 [?]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - mchInjDrv

.

Contents of the 'Scheduled Tasks' folder

 

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:49]

 

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-Systweak Wallpaper Changer - f:\program files\Advanced System Optimizer\wallpaper.exe

HKCU-Run-UberIcon - f:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

 

 

.

------- Supplementary Scan -------

.

IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML

IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\5uhgdi40.default\

FF - prefs.js: browser.startup.homepage - hxxp://il.msn.com/

FF - plugin: f:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll

FF - plugin: f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll

FF - plugin: f:\program files\DivX\DivX Web Player\npdivx32.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-06 21:58

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]

"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"

 

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:ec,a4,f1,91,46,2d,f5,09,a4,9d,b4,fd,a0,c0,a9,c1,5a,4f,99,4d,67,

67,5b,23,be,fa,16,30,a7,5a,c8,a7,23,2f,9e,b8,d6,e4,cb,3d,b4,0b,eb,e9,20,b3,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

Completion time: 2009-07-06 22:00

ComboFix-quarantined-files.txt 2009-07-06 19:00

 

Pre-Run: 6,332,686,336 bytes free

Post-Run: 7,813,783,552 bytes free

 

273 --- E O F --- 2009-02-07 20:55

 

 

 

 

 

And here is the new HJT log

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:05:34, on 06/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

f:\Program Files\Spyware Doctor\pctsAuxs.exe

f:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

F:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

F:\Program Files\SpywareGuard\sgmain.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles

O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Rvsystem] "F:\Program files\Returnil\Returnil.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [iSTray] "f:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "F:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: ImageMixer 3 SE Camera Monitor for SD.lnk = ?

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)

O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229453344875

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229453304953

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - f:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe

 

--

End of file - 10848 bytes

 

 

 

 

Really thanks you Nasdaq!

Share this post


Link to post
Share on other sites

Looking good but I want to check this file in bold.

 

c:\windows\system32\drivers\ndis.sys

 

Please submit the file in bold to the following link for a scan, then post the results in your next message for me to see.

http://virusscan.jotti.org/

Share this post


Link to post
Share on other sites

Hey nasdaq, thanks for reply.

 

The file " Ndis" was empy. so i tried the file "Ndis(2)"

 

and here is the results:

 

 

Filename: ndis.sys

Status:

Scan finished. 0 out of 21 scanners reported malware.

Scan taken on: Wed 24 Jun 2009 15:09:10 (CET) Permalink

 

if that what you meant,

if not i took as Screenshot of the page. so if u need it tell me in the next reply

Share this post


Link to post
Share on other sites
The file " Ndis" was empy. so i tried the file "Ndis(2)"

 

Look at the properties of this Ndis(2).sys file and let me know if it\s from Microsoft and include the size of the file.

Share this post


Link to post
Share on other sites
The file " Ndis" was empy. so i tried the file "Ndis(2)"

 

Look at the properties of this Ndis(2).sys file and let me know if it\s from Microsoft and include the size of the file.

 

 

 

Yeah it is from Microsoft

 

Copyright: © Microsoft Corporation. All rights reserved.

Share this post


Link to post
Share on other sites

Please what is the file size (bytes)

Share this post


Link to post
Share on other sites

See post no 3.

 

[7] 2004-08-03 21:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2009-06-13 10:44 212224 87090A87841A6DE2F46BDCDD9321E3B7 c:\windows\system32\drivers\ndis.sys

 

The malware inserted a bad ndis.sys file in to your system.

 

You may have to do this in Safe Mode.

 

Delete this file in bold.

c:\windows\system32\drivers\ndis.sys

 

Rename this file

 

c:\windows\system32\drivers\ndis(2).sys

 

to

c:\windows\system32\drivers\ndis.sys

 

Restart the computer.

 

Let me know what problem persists.

Share this post


Link to post
Share on other sites
See post no 3.

 

[7] 2004-08-03 21:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2009-06-13 10:44 212224 87090A87841A6DE2F46BDCDD9321E3B7 c:\windows\system32\drivers\ndis.sys

 

The malware inserted a bad ndis.sys file in to your system.

 

You may have to do this in Safe Mode.

 

Delete this file in bold.

c:\windows\system32\drivers\ndis.sys

 

Rename this file

 

c:\windows\system32\drivers\ndis(2).sys

 

to

c:\windows\system32\drivers\ndis.sys

 

Restart the computer.

 

Let me know what problem persists.

 

 

I cannot Delete " Ndis" from System32/drivers...

the file is probably currently in use.

and i used Safe mode.

 

Nasdaq. is it keylogger?

please answer fast. my credit card may be in a danger.

Edited by strikex

Share this post


Link to post
Share on other sites

Nothing else but that file was bad on your log.

Possibly left over after you cleaned the virus.

Alone I do not think it's a keylogger.

 

Open notepad and copy/paste the text in the quote box below into it:

 

KillAll::

FCOPY::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

 

Save this as CFScript on your desktop.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

Let me know what problem persists.

Share this post


Link to post
Share on other sites
Nothing else but that file was bad on your log.

Possibly left over after you cleaned the virus.

Alone I do not think it's a keylogger.

 

Open notepad and copy/paste the text in the quote box below into it:

 

KillAll::

FCOPY::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

 

Save this as CFScript on your desktop.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

Let me know what problem persists.

 

 

here is the log:

 

 

ComboFix 09-07-08.07 - Admin 07/09/2009 16:34.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2045.1369 [GMT 3:00]

Running from: c:\documents and settings\Admin\Desktop\Anti\ComboFix.exe

Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

--------------- FCopy ---------------

 

c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))

.

 

2009-07-04 23:21 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-04 23:21 . 2009-04-03 08:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-04 23:21 . 2008-12-18 09:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-04 23:21 . 2009-07-04 23:23 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-04 23:21 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-04 23:21 . 2009-07-04 23:21 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools

2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes

2009-07-02 23:23 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-02 23:23 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-02 23:23 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-02 23:18 . 2009-07-02 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-27 21:45 . 2009-07-07 15:57 -------- d-----w- c:\program files\Lavasoft

2009-06-27 21:45 . 2009-07-07 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-22 22:34 . 2009-06-22 22:34 22272 ----a-w- c:\windows\system32\drivers\RVFsSec.sys

2009-06-22 22:34 . 2009-06-22 22:34 39424 ----a-w- c:\windows\system32\drivers\RVSystem.sys

2009-06-22 22:33 . 2009-06-22 22:35 -------- d--h--w- C:\RETURNIL

2009-06-21 10:21 . 2009-06-21 10:21 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Blizzard Entertainment

2009-06-14 20:29 . 2006-12-14 07:00 110592 ----a-w- c:\documents and settings\Admin\Application Data\U3\temp\cleanup.exe

2009-06-14 20:26 . 2007-02-12 14:46 3096576 ---ha-w- c:\documents and settings\Admin\Application Data\U3\temp\Launchpad Removal.exe

2009-06-14 20:26 . 2009-06-16 14:14 -------- d-----w- c:\documents and settings\Admin\Application Data\U3

2009-06-14 06:56 . 2009-06-14 06:56 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ESET

2009-06-14 05:51 . 2009-06-14 21:37 -------- d-----w- c:\windows\LastGood

2009-06-13 22:04 . 2009-06-13 22:04 -------- d-----w- c:\windows\system32\wbem\Repository

2009-06-13 10:41 . 2009-06-14 06:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2009-06-12 20:07 . 2008-01-07 11:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg

2009-06-12 20:06 . 2009-06-12 20:06 -------- d-----w- c:\documents and settings\Admin\Application Data\ESET

2009-06-12 20:06 . 2009-06-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2009-06-11 11:26 . 2009-06-11 11:26 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-06-11 10:46 . 2009-06-11 10:46 -------- d-----w- c:\documents and settings\Admin\Application Data\URSoft

2009-06-11 10:46 . 2009-07-09 13:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-11 10:39 . 2009-06-11 10:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PCHealth

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-09 13:42 . 2008-10-22 00:38 -------- d-----w- c:\program files\DNA

2009-07-09 13:42 . 2008-10-22 00:38 -------- d-----w- c:\documents and settings\Admin\Application Data\DNA

2009-07-06 11:27 . 2007-11-22 15:40 -------- d-----w- c:\program files\ESET

2009-07-06 00:21 . 2008-07-12 00:31 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype

2009-07-05 21:08 . 2008-07-12 00:32 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM

2009-06-22 19:10 . 2009-03-25 08:48 -------- d-----w- c:\program files\World of Warcraft

2009-06-13 10:45 . 2008-06-29 14:39 -------- d-----w- c:\program files\VentSrv

2009-06-13 10:45 . 2009-03-11 14:35 -------- d-----w- c:\program files\QuickTime

2009-06-13 10:44 . 2008-10-13 14:58 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-06-13 10:44 . 2008-01-23 12:24 -------- d-----w- c:\program files\ICQToolbar

2009-06-13 10:41 . 2009-06-13 10:41 0 ----a-w- c:\windows\system32\C053.tmp

2009-06-13 10:41 . 2009-06-13 10:41 80 ----a-w- c:\windows\system32\C042.tmp

2009-06-12 20:27 . 2008-10-13 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-09 13:45 . 2008-06-29 14:47 -------- d-----w- c:\program files\Ventrilo

2009-06-09 12:12 . 2007-11-26 14:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-06-02 15:28 . 2008-07-17 02:08 -------- d-----w- c:\program files\PokerStars

2009-06-01 12:10 . 2008-05-30 10:16 -------- d-----w- c:\documents and settings\Admin\Application Data\Ventrilo

2009-06-01 12:07 . 2008-06-29 14:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-28 15:49 . 2007-11-22 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-05-28 15:40 . 2008-07-11 23:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Hamachi

2009-05-25 08:51 . 2007-11-23 13:41 101968 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w- c:\program files\AviSynth 2.5

2009-05-25 07:47 . 2009-05-25 07:47 -------- d-----w- c:\program files\eRightSoft

2009-05-24 16:42 . 2009-05-24 16:42 -------- d-----w- c:\program files\Microsoft Works

2009-05-24 16:42 . 2007-11-23 07:02 -------- d-----w- c:\program files\MSBuild

2009-05-23 09:18 . 2007-11-23 07:02 1528840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-12 19:58 . 2009-05-12 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia

2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf

2009-05-12 19:57 . 2009-05-12 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2009-05-12 19:57 . 2009-05-12 19:57 -------- d-----w- c:\documents and settings\Admin\Application Data\Nokia

2009-05-12 17:41 . 2009-05-12 17:13 -------- d-----w- c:\program files\Nokia

2009-05-12 17:41 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\Nokia

2009-05-12 17:34 . 2009-05-12 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic

2009-05-12 17:31 . 2009-05-12 17:31 -------- d-----w- c:\program files\Common Files\muvee Technologies

2006-05-03 10:06 . 2009-05-25 07:50 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2009-05-25 07:50 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-05-25 07:50 216064 --sh--r- c:\windows\system32\nbDX.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-07 68856]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

"DAEMON Tools Pro Agent"="f:\program files\DAEMON Tools Pro\DTProAgent.exe" [2008-10-09 200136]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]

"Rvsystem"="f:\program files\Returnil\Returnil.exe" [2009-06-22 2304000]

"ISTray"="f:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

 

c:\documents and settings\Admin\Start Menu\Programs\Startup\

SpywareGuard.lnk - f:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp psc 1000 series.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]

hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

ImageMixer 3 SE Camera Monitor for SD.lnk - f:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-4-11 253952]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Tortun\\gui.exe"=

"c:\\Program Files\\World of Warcraft\\Repair.exe"=

"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"c:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"f:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"f:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"f:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymedia.exe"=

"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymediaserver.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [05/07/2009 02:21 130936]

R0 RVFsSec;RVFsSec;c:\windows\system32\drivers\RVFsSec.sys [23/06/2009 01:34 22272]

R0 RVSystem;RVSystem;c:\windows\system32\drivers\RVSystem.sys [23/06/2009 01:34 39424]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 13:27 34312]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 08:21 468224]

R2 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [05/07/2009 02:21 348752]

S2 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 --> c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 [?]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - mchInjDrv

.

Contents of the 'Scheduled Tasks' folder

 

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

.

.

------- Supplementary Scan -------

.

IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML

IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\5uhgdi40.default\

FF - prefs.js: browser.startup.homepage - hxxp://il.msn.com/

FF - plugin: f:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll

FF - plugin: f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll

FF - plugin: f:\program files\DivX\DivX Web Player\npdivx32.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-09 16:41

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]

"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"

 

[HKEY_USERS\S-1-5-21-299502267-602609370-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:ec,a4,f1,91,46,2d,f5,09,a4,9d,b4,fd,a0,c0,a9,c1,5a,4f,99,4d,67,

67,5b,23,be,fa,16,30,a7,5a,c8,a7,23,2f,9e,b8,d6,e4,cb,3d,b4,0b,eb,e9,20,b3,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(992)

f:\program files\Spyware Doctor\pctgmhk.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\nvsvc32.exe

f:\program files\Spyware Doctor\pctsSvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe

c:\program files\Common Files\Nero\Lib\NMIndexingService.exe

c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-07-09 16:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-09 13:47

ComboFix2.txt 2009-07-06 19:01

 

Pre-Run: 7,753,506,816 bytes free

Post-Run: 7,892,389,888 bytes free

 

275 --- E O F --- 2009-02-07 20:55

 

 

somthing i noticed: Now i got both Ndis and Ndis(2) and they look like the have the same size

Edited by strikex

Share this post


Link to post
Share on other sites

You can now delete Ndis(2) .sys

 

Any remaining problems?

Share this post


Link to post
Share on other sites
You can now delete Ndis(2) .sys

 

Any remaining problems?

 

dosnt looks like any problems, i just deleted it :p

Share this post


Link to post
Share on other sites

Please read this Prevention page with lots of info and tips how to prevent this in the future.

How did I get infected in the first place?

http://spywareinfoforum.com/index.php?showtopic=60955

===

 

Time for some housekeeping

  • The following will implement some cleanup procedures as well as reset System Restore points:
     
    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
     
    ComboFix /u

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0