Post by: Athrin on September 15, 2008, 12:50:41 AM
I have heard about the AntiVirus XP 2008 But i'm sure i dont have that. I may be wrong. Any help appreciated.
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:38 AM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [lphctfuj0e5dv] C:\WINDOWS\system32\lphctfuj0e5dv.exe
O4 - HKLM\..\Run: [inrhcpfuj0e5dv] C:\Documents and Settings\Administrator\Local Settings\Temp\.tt89.tmp.exe /CR=5F8C0875B49BA02BB503A8EC828A17BCD8834F9B37AC1EBC85A5329F24B340B2A66DB8A0D6519
9E929A5B92E22396C3FF446942B0F2B476EE463B83E234E23126EB50A258B14E57094E88759F17295
B783
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: prio.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 5943 bytes
Post by: Athrin on September 15, 2008, 12:59:14 AM
.tt89.tmp files were causing the background to change like that and i got rid of them.
Now to just get the background back working.
Thanks ^^
Post by: guestolo on September 15, 2008, 02:53:12 PM
[color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\")
Save it to your desktop
Reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
In Safe mode
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Afterwards:
download Malwarebytes' Anti-Malware from Here (http://\"http://www.besttechie.net/tools/mbam-setup.exe\") or Here (http://\"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html\")
Save the installer to desktop
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Post back all the following please
1. Post the log from MBAM
2. Post the report from SDFix
3. Post a fresh hijackthis log
Post by: Athrin on September 15, 2008, 08:53:04 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:07 PM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab (http://\"http://ares.netgame.com/download/mglaunch_USAv1002.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: prio.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 5722 bytes
SDFix: Version 1.225
Run by Administrator on Tue 09/16/2008 at 09:48 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Rootkit Found :
C:\WINDOWS\system32\drivers\tdssserv.sys - Rootkit.Win32.Agent.cku
Name :
tdssserv
Path :
\systemroot\system32\drivers\TDSSserv.sys
tdssserv - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\phctfuj0e5dv.bmp - Deleted
C:\Documents and Settings\Administrator\xrt_kpkj.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt108.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt10A.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt118.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt121.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt85.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttBB.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttF0.tmp - Deleted
C:\WINDOWS\system32\drivers\svchost.exe - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-09-16 21:52:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"="C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"
Finished!
Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 3
9/16/2008 10:19:51 PM
mbam-log-2008-09-16 (22-19-51).txt
Scan type: Full Scan (C:\|)
Objects scanned: 54386
Time elapsed: 18 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Post by: guestolo on September 15, 2008, 09:09:11 PM
Download [color=\"blue\"]random's system information tool (RSIT)[/color] by [color=\"#6600cc\"]random/random[/color] from >>[color=\"red\"]here[/color]<< (http://\"http://images.malwareremoval.com/random/RSIT.exe\") and save it to your desktop.
- Double click on RSIT.exe to launch program.
- Click Continue at the disclaimer screen.
- Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
- Once it has finished, two logs will open: log.txt[color=\"red\"]<-- this will be maximized[/color] and info.txt[color=\"red\"]<-- this will be minimized[/color].
Post by: Athrin on September 15, 2008, 09:15:17 PM
Post by: guestolo on September 15, 2008, 09:21:04 PM
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> Can you upload the files
In a reply box, click on the BROWSE...
UPLOAD buttons on the lower right of the screen
Post by: Athrin on September 15, 2008, 09:26:49 PM
Post by: guestolo on September 15, 2008, 09:56:30 PM
Can you tell me what you know about this program please
Prio v1.9.7
In addition, I would uninstall Viewpoint media player
Post by: Athrin on September 15, 2008, 10:04:17 PM
I just got my computer fixed with a new motherboard and that was there so i left it.
Post by: guestolo on September 15, 2008, 10:41:21 PM
Prio 1.9.7
Quote
Prio is a utility for saving the priority of applications and interface enhancements for the standard Task ManagerMore info here
http://www.download.com/Prio/3000-2094_4-10455293.html (http://\"http://www.download.com/Prio/3000-2094_4-10455293.html\")
I've never heard of it or used it
I would say it's up to you to keep it or not, but if you don't use it, I would uninstall it from Add and Remove programs
Afterwards, please do the following
Download [color=\"#FF0000\"]ATF-Cleaner[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
-------------
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt
Exit ATF-Cleaner from the Main menu
Do a "System scan only" with Hijackthis and put a check next to these entries:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
It appears you have a flash drive infection. Please download Flash_Disinfector (http://\"http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe\") by sUBs and save it to your desktop:
NOTE: In the event you already have Flash_Disinfector, this is a newer version that I need you to download.
* Plug in your USB flash drive.
* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Your desktop will vanish for a while, and then reappear. This is normal.
* Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.
Afterwards:
If you have an older version of ComboFix, delete it please
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
We'll need it in a bit
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{243c9a37-8321-11dd-8c3f-fdc62c97640c}]
[/color]
Save this as txtfile on your desktop
CFScript
Then
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
When finished, it shall produce a log for you with the name C:\ComboFix.txt..
Post that log along with one last fresh hijackthis log
Keep me informed how things are running please
Post by: Athrin on September 15, 2008, 11:04:39 PM
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.81 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.
2008-09-16 22:43 . 2008-09-16 22:43 <DIR> d-------- C:\rsit
2008-09-16 21:59 . 2008-09-16 21:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 21:59 . 2008-09-16 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-16 21:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 21:59 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-16 21:51 . 2008-09-16 21:51 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-09-16 21:51 . 2008-09-16 21:51 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-16 21:47 . 2008-09-16 21:47 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-09-16 21:46 . 2008-09-16 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-16 21:41 . 2008-09-16 21:53 <DIR> d-------- C:\SDFix
2008-09-16 15:41 . 2008-09-16 15:41 <DIR> d-------- C:\mGame
2008-09-16 15:41 . 2008-09-16 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-09-15 22:44 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-09-15 22:44 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-09-15 22:44 . 2008-03-21 01:33 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-09-15 22:44 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-09-15 22:44 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-09-15 22:44 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-09-15 22:43 . 2008-09-15 22:44 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-09-15 17:12 . 2008-09-15 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-09-15 15:34 . 2008-09-15 15:34 <DIR> d-------- C:\Program Files\WiFiConnector
2008-09-15 15:31 . 2008-09-15 15:31 <DIR> d-------- C:\Program Files\CA
2008-09-15 15:31 . 2008-09-15 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-09-15 15:31 . 2008-09-15 15:32 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-09-15 15:31 . 2008-09-15 15:32 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-09-15 15:31 . 2008-01-11 21:30 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-09-15 15:31 . 2008-09-15 15:32 91,376 --a------ C:\WINDOWS\system32\isafprod.dll
2008-09-15 15:31 . 2008-01-11 21:30 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-09-15 15:31 . 2008-09-15 15:32 32,240 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-09-15 15:31 . 2008-09-15 15:32 26,352 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-09-15 15:31 . 2008-09-15 15:32 21,488 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-09-15 15:31 . 2008-09-15 15:32 21,104 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-09-15 15:29 . 2008-09-15 15:29 <DIR> d-------- C:\WINDOWS\Logs
2008-09-15 15:28 . 2008-09-15 15:28 <DIR> d-------- C:\Program Files\Sun
2008-09-15 15:28 . 2008-09-15 15:28 <DIR> d-------- C:\Program Files\Java
2008-09-15 15:28 . 2008-09-15 15:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 15:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 15:26 . 2008-09-15 15:27 <DIR> d-------- C:\Program Files\LimeWire
2008-09-15 15:26 . 2008-09-15 15:29 <DIR> d-------- C:\Program Files\Direct X
2008-09-15 10:18 . 2008-09-15 10:18 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-15 10:18 . 2008-09-15 10:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 10:17 . 2008-09-15 10:17 <DIR> d-------- C:\Program Files\mIRC
2008-09-15 10:17 . 2008-09-15 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-09-15 10:13 . 2008-09-15 10:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Logitech
2008-09-15 10:13 . 2008-09-15 10:13 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-09-15 10:12 . 2008-09-15 10:13 <DIR> d-------- C:\Program Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-15 10:08 . 2008-09-15 15:45 <DIR> d-------- C:\Program Files\middle_man
2008-09-15 10:06 . 2008-09-15 10:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Aim
2008-09-15 10:05 . 2008-09-15 15:38 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-15 10:05 . 2008-09-15 10:05 <DIR> d-------- C:\Program Files\AOD
2008-09-15 10:05 . 2008-09-15 10:08 <DIR> d-------- C:\Program Files\AIM
2008-09-15 10:05 . 2004-02-25 08:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-09-15 10:01 . 2008-03-20 14:39 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-15 10:01 . 2008-03-20 20:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-09-15 10:01 . 2008-03-20 14:32 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-09-15 10:01 . 2001-08-17 08:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-15 10:01 . 2008-03-20 14:38 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-16 00:51 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-09-16 00:51 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-09-15 14:12 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-15 14:12 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-09-15 14:12 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-15 14:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-15 12:54 --------- d---a-w C:\Program Files\(HDTune)
2008-09-15 12:46 --------- d-----w C:\Program Files\Nero
2008-09-15 12:41 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-15 12:41 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-15 12:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-15 12:34 --------- d-----w C:\Program Files\office 2003 pro
2008-09-15 12:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-15 12:29 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-09-15 12:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-09-15 12:25 --------- d-----w C:\Program Files\Analog Devices
2008-09-15 12:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-09-15 11:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-15 11:53 --------- d-----w C:\Program Files\Opera
2008-07-31 14:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 14:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 14:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-12 12:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 12:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 12:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
.
------- Sigcheck -------
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2GDR\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3QFE\tcpip.sys
2008-05-03 08:00 361344 37d8387cbd4437c55f454209be10ef11 C:\WINDOWS\system32\drivers\tcpip.sys
2008-09-15 20:51 507904 a8f7ab40d4b2478fdcb4adc1291a9d52 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-09-15 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-15 234736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-13 C:\WINDOWS\system32\advpack.dll]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-09-15 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-09-15 688128]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-09-15 1073152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SR
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-09-17 00:30:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\prio.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\prio.dll
.
Completion time: 2008-09-17 0:32:33
ComboFix-quarantined-files.txt 2008-09-17 04:32:09
Pre-Run: 32,414,777,344 bytes free
Post-Run: 32,412,381,184 bytes free
200
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:21 AM, on 9/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab (http://\"http://ares.netgame.com/download/mglaunch_USAv1002.cab\")
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 5190 bytes
There they are. Also, my computer tends to just turn off randomly over a period of time. Seems it varies from 10 minutes, to a few hours, a day or two etc. I just got a brand new motherboard so it cant be dead capacitors. Could it be my wireless mouse and keyboard plus the WiFi Connector that could cause this?
And things are running fine.
Post by: guestolo on September 15, 2008, 11:14:55 PM
Was your computer restarting or just shutting down?
Has it done this since we have used SDFix and Malwarebytes?
Also, just as a double check
go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Copy and paste the following bold line to the space next to 'Upload a File'
Or Browse to the file
C:\WINDOWS\system32\prio.dll
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page
Post by: Athrin on September 15, 2008, 11:18:39 PM
Post by: guestolo on September 15, 2008, 11:21:39 PM
Post by: Athrin on September 15, 2008, 11:29:44 PM
Only prio.ini is there.
Post by: guestolo on September 15, 2008, 11:38:45 PM
Download [color=\"blue\"]OTMoveIt2.exe[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\") by OldTimer:
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the Blue entries below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
[color=\"#0000FF\"]C:\WINDOWS\system32\prio.dll
C:\WINDOWS\system32\prio.ini[/color]
====================================================== - Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log
If your machine was not prompted to reboot by OTMoveit
Can you reboot your computer manually
Back in Windows
Can you run ComboFix again, this time just double click on ComboFix.exe
When the log opens, post the contents please
In addition, can you post the log from OTMoveit
Post by: Athrin on September 15, 2008, 11:58:05 PM
C:\WINDOWS\system32\prio.ini moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09172008_011753
ComboFix 08-09-15.02 - Administrator 2008-09-17 1:20:55.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\My Documents\Installations\ComboFix.exe
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.
2008-09-17 01:17 . 2008-09-17 01:17 <DIR> d-------- C:\_OTMoveIt
2008-09-17 00:54 . 2008-09-17 00:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-09-16 21:59 . 2008-09-16 21:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 21:59 . 2008-09-16 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-16 21:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 21:59 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-16 21:51 . 2008-09-16 21:51 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-09-16 21:51 . 2008-09-16 21:51 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-16 21:47 . 2008-09-16 21:47 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-09-16 21:46 . 2008-09-16 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-16 15:41 . 2008-09-16 15:41 <DIR> d-------- C:\mGame
2008-09-16 15:41 . 2008-09-16 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-09-15 22:44 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-09-15 22:44 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-09-15 22:44 . 2008-03-21 01:33 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-09-15 22:44 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-09-15 22:44 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-09-15 22:44 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-09-15 22:43 . 2008-09-15 22:44 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-09-15 17:12 . 2008-09-17 01:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-09-15 15:34 . 2008-09-15 15:34 <DIR> d-------- C:\Program Files\WiFiConnector
2008-09-15 15:31 . 2008-09-15 15:31 <DIR> d-------- C:\Program Files\CA
2008-09-15 15:31 . 2008-09-15 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-09-15 15:31 . 2008-09-15 15:32 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-09-15 15:31 . 2008-09-15 15:32 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-09-15 15:31 . 2008-01-11 21:30 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-09-15 15:31 . 2008-09-15 15:32 91,376 --a------ C:\WINDOWS\system32\isafprod.dll
2008-09-15 15:31 . 2008-01-11 21:30 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-09-15 15:31 . 2008-09-15 15:32 32,240 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-09-15 15:31 . 2008-09-15 15:32 26,352 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-09-15 15:31 . 2008-09-15 15:32 21,488 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-09-15 15:31 . 2008-09-15 15:32 21,104 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-09-15 15:29 . 2008-09-15 15:29 <DIR> d-------- C:\WINDOWS\Logs
2008-09-15 15:28 . 2008-09-15 15:28 <DIR> d-------- C:\Program Files\Sun
2008-09-15 15:28 . 2008-09-15 15:28 <DIR> d-------- C:\Program Files\Java
2008-09-15 15:28 . 2008-09-15 15:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 15:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 15:26 . 2008-09-15 15:27 <DIR> d-------- C:\Program Files\LimeWire
2008-09-15 15:26 . 2008-09-15 15:29 <DIR> d-------- C:\Program Files\Direct X
2008-09-15 10:18 . 2008-09-15 10:18 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-15 10:18 . 2008-09-15 10:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 10:17 . 2008-09-15 10:17 <DIR> d-------- C:\Program Files\mIRC
2008-09-15 10:17 . 2008-09-15 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-09-15 10:13 . 2008-09-15 10:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Logitech
2008-09-15 10:13 . 2008-09-15 10:13 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-09-15 10:12 . 2008-09-15 10:13 <DIR> d-------- C:\Program Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-15 10:08 . 2008-09-15 15:45 <DIR> d-------- C:\Program Files\middle_man
2008-09-15 10:06 . 2008-09-15 10:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Aim
2008-09-15 10:05 . 2008-09-15 15:38 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-15 10:05 . 2008-09-15 10:05 <DIR> d-------- C:\Program Files\AOD
2008-09-15 10:05 . 2008-09-15 10:08 <DIR> d-------- C:\Program Files\AIM
2008-09-15 10:05 . 2004-02-25 08:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-09-15 10:01 . 2008-03-20 14:39 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-15 10:01 . 2008-03-20 20:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-09-15 10:01 . 2008-03-20 14:32 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-09-15 10:01 . 2001-08-17 08:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-15 10:01 . 2008-03-20 14:38 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-16 00:51 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-09-16 00:51 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-09-15 14:12 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-15 14:12 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-09-15 14:12 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-15 14:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-15 12:54 --------- d---a-w C:\Program Files\(HDTune)
2008-09-15 12:46 --------- d-----w C:\Program Files\Nero
2008-09-15 12:41 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-15 12:41 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-15 12:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-15 12:34 --------- d-----w C:\Program Files\office 2003 pro
2008-09-15 12:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-15 12:29 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-09-15 12:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-09-15 12:25 --------- d-----w C:\Program Files\Analog Devices
2008-09-15 12:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-09-15 11:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-15 11:53 --------- d-----w C:\Program Files\Opera
2008-07-31 14:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 14:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 14:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-12 12:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 12:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 12:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
.
------- Sigcheck -------
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2GDR\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3QFE\tcpip.sys
2008-05-03 08:00 361344 37d8387cbd4437c55f454209be10ef11 C:\WINDOWS\system32\drivers\tcpip.sys
2008-09-15 20:51 507904 a8f7ab40d4b2478fdcb4adc1291a9d52 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-09-15 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-15 234736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-13 C:\WINDOWS\system32\advpack.dll]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-09-15 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-09-15 688128]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-09-15 1073152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SR
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v85yoeek.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.myspace.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-09-17 01:25:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\prio.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\prio.dll
.
Completion time: 2008-09-17 1:28:22
ComboFix-quarantined-files.txt 2008-09-17 05:27:54
Pre-Run: 32,402,165,760 bytes free
Post-Run: 32,393,220,096 bytes free
203
Post by: guestolo on September 16, 2008, 09:24:08 AM
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\")
Scroll down the page
and download the "Registry Search Tool"
Unzip RegSrch.zip to the desktop
Double click on RegSrch.vbs
**If you get a warning from your Anti Virus please ignore it and allow this to run.**
When it starts, you will be prompted to enter a search phrase.
Enter this:
Prio
Click OK, it will disappear and won't look as if it's doing anything. When it's done searching, a prompt will come up saying how many instances it found. Click OK, and a notepad will open up.
Can you save this text file to your desktop
It will be quite long
Then come back here and upload the file please
Post by: Athrin on September 16, 2008, 01:29:29 PM
Post by: guestolo on September 20, 2008, 09:37:52 AM
Go to START>>RUN>>Copy and paste the next bold entry
ComboFix /u
Hit OK
This will uninstall ComboFix and it's components
[color=\"red\"]OTMoveIt2 [/color]
- Double-click OTMoveIt2.exe to run it.
- Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list - Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall - Select Yes to reboot Now
Have the computer reboot
Back in Windows
How are things now running?
Post by: Athrin on September 20, 2008, 01:27:42 PM
I think i figured out the problem. It was my RAM in the computer that caused it to shutdown like that. Might have been bad memory or something. But it hasn't shut off for 3 days now. =]
Post by: guestolo on September 21, 2008, 01:01:10 PM
Update and run a Quick scan occassionally or uninstall it from Add and Remove Programs
Go ahead and delete Rsit.exe from desktop
and find and delete this folder
C:\rsit
I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
Take a look at miekiemoes site with other ideas on How to prevent Malware: (http://\"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html\")
I hope that helps
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />