« previous next »
Pages: [1] 2

Author Topic: Background Showing Scamware  (Read 4371 times)

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« on: September 15, 2008, 12:50:41 AM »
Not too sure what i have but i know i dont have the win32 trojan. My background has disappeared and is showing a white screen with it saying "Windows Warning Message: Spyware Detected On Your Computer!"

I have heard about the AntiVirus XP 2008 But i'm sure i dont have that. I may be wrong. Any help appreciated. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:38 AM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [lphctfuj0e5dv] C:\WINDOWS\system32\lphctfuj0e5dv.exe
O4 - HKLM\..\Run: [inrhcpfuj0e5dv] C:\Documents and Settings\Administrator\Local Settings\Temp\.tt89.tmp.exe /CR=5F8C0875B49BA02BB503A8EC828A17BCD8834F9B37AC1EBC85A5329F24B340B2A66DB8A0D6519
9E929A5B92E22396C3FF446942B0F2B476EE463B83E234E23126EB50A258B14E57094E88759F17295
B783
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: prio.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5943 bytes
Logged

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #1 on: September 15, 2008, 12:59:14 AM »
Ahhh, so i got the background on my computer back but i cant edit it when i right click, properties. The Background and ScreenSaver Tab is missing. =/

.tt89.tmp files were causing the background to change like that and i got rid of them.

Now to just get the background back working.

Thanks ^^
« Last Edit: September 15, 2008, 01:22:21 AM by Athrin »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #2 on: September 15, 2008, 02:53:12 PM »
Download
[color=\"red\"]SDFix[/color]
Save it to your desktop

Reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

In Safe mode
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder  
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
I'll need to see that log later

Afterwards:
download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Post back all the following please

1. Post the log from MBAM
2. Post the report from SDFix
3. Post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #3 on: September 15, 2008, 08:53:04 PM »
Alright, here is everything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:07 PM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: prio.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5722 bytes





SDFix: Version 1.225
Run by Administrator on Tue 09/16/2008 at 09:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\tdssserv.sys - Rootkit.Win32.Agent.cku

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper  

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\phctfuj0e5dv.bmp - Deleted
C:\Documents and Settings\Administrator\xrt_kpkj.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt108.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt10A.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt118.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt121.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt85.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttBB.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttF0.tmp - Deleted
C:\WINDOWS\system32\drivers\svchost.exe - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys  - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 21:52:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"="C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 12 Feb 2007     3,096,576 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"

Finished!




Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 3

9/16/2008 10:19:51 PM
mbam-log-2008-09-16 (22-19-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 54386
Time elapsed: 18 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #4 on: September 15, 2008, 09:09:11 PM »
Can I see another couple logs please, then we'll try one more fix to see if we can clear the remainder of what not needed

Download [color=\"blue\"]random's system information tool (RSIT)[/color] by [color=\"#6600cc\"]random/random[/color] from >>[color=\"red\"]here[/color]<< and save it to your desktop.
  • Double click on RSIT.exe to launch program.
  • Click Continue at the disclaimer screen.
  • Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
  • Once it has finished, two logs will open:  log.txt[color=\"red\"]<-- this will be maximized[/color] and info.txt[color=\"red\"]<-- this will be minimized[/color].
Post both those logs please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #5 on: September 15, 2008, 09:15:17 PM »
It's not letting me post them. Once i hit reply, it goes to a screen saying, method not implemented
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #6 on: September 15, 2008, 09:21:04 PM »
Back to that problem  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

Can you upload the files
In a reply box, click on the BROWSE...
UPLOAD buttons on the lower right of the screen
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #7 on: September 15, 2008, 09:26:49 PM »
Haha, alright done. =]
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #8 on: September 15, 2008, 09:56:30 PM »
In your Add and Remove programs
Can you tell me what you know about this program please

Prio v1.9.7

In addition, I would uninstall Viewpoint media player
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #9 on: September 15, 2008, 10:04:17 PM »
I really dont know what that is.

I just got my computer fixed with a new motherboard and that was there so i left it.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #10 on: September 15, 2008, 10:41:21 PM »
All I can find out about it
Prio 1.9.7
Quote
Prio is a utility for saving the priority of applications and interface enhancements for the standard Task Manager
More info here
http://www.download.com/Prio/3000-2094_4-10455293.html
I've never heard of it or used it
I would say it's up to you to keep it or not, but if you don't use it, I would uninstall it from Add and Remove programs

Afterwards, please do the following

Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop
      Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
-------------
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt
Exit ATF-Cleaner from the Main menu

Do a "System scan only" with Hijackthis and put a check next to these entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


It appears you have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a newer version that I need you to download.

    * Plug in your USB flash drive.
    * Double-click Flash_Disinfector.exe to run it.
    * Follow any prompts that may appear.
    * Your desktop will vanish for a while, and then reappear. This is normal.
    * Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Afterwards:
If you have an older version of ComboFix, delete it please
Download this file - Combofix.exe and save it ONLY to your desktop
We'll need it in a bit

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{243c9a37-8321-11dd-8c3f-fdc62c97640c}]

[/color]
Save this as txtfile on your desktop
CFScript

Then

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

When finished, it shall produce a log for you  with the name C:\ComboFix.txt..
Post that log along with one last fresh hijackthis log
Keep me informed how things are running please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #11 on: September 15, 2008, 11:04:39 PM »
ComboFix 08-09-15.02 - Administrator 2008-09-17  0:25:51.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.81 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((   Files Created from 2008-08-17 to 2008-09-17  )))))))))))))))))))))))))))))))
.

2008-09-16 22:43 . 2008-09-16 22:43   <DIR>   d--------   C:\rsit
2008-09-16 21:59 . 2008-09-16 21:59   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 21:59 . 2008-09-16 21:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-16 21:59   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-08 00:11   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 21:59 . 2008-09-08 00:11   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-16 21:51 . 2008-09-16 21:51   <DIR>   d--------   C:\WINDOWS\system32\xircom
2008-09-16 21:51 . 2008-09-16 21:51   <DIR>   d--------   C:\Program Files\microsoft frontpage
2008-09-16 21:47 . 2008-09-16 21:47   578,560   --a------   C:\WINDOWS\system32\dllcache\user32.dll
2008-09-16 21:46 . 2008-09-16 21:47   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-09-16 21:41 . 2008-09-16 21:53   <DIR>   d--------   C:\SDFix
2008-09-16 15:41 . 2008-09-16 15:41   <DIR>   d--------   C:\mGame
2008-09-16 15:41 . 2008-09-16 15:41   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-09-15 22:44 . 2001-08-17 22:36   8,704   --a------   C:\WINDOWS\system32\kbdjpn.dll
2008-09-15 22:44 . 2001-08-17 22:36   8,192   --a------   C:\WINDOWS\system32\kbdkor.dll
2008-09-15 22:44 . 2008-03-21 01:33   6,144   --a------   C:\WINDOWS\system32\kbd106.dll
2008-09-15 22:44 . 2001-08-17 14:55   6,144   --a------   C:\WINDOWS\system32\kbd101c.dll
2008-09-15 22:44 . 2001-08-17 14:55   6,144   --a------   C:\WINDOWS\system32\kbd101b.dll
2008-09-15 22:44 . 2001-08-17 14:55   5,632   --a------   C:\WINDOWS\system32\kbd103.dll
2008-09-15 22:43 . 2008-09-15 22:44   <DIR>   d--------   C:\WINDOWS\CAVTemp
2008-09-15 17:12 . 2008-09-15 17:31   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-09-15 15:34 . 2008-09-15 15:34   <DIR>   d--------   C:\Program Files\WiFiConnector
2008-09-15 15:31 . 2008-09-15 15:31   <DIR>   d--------   C:\Program Files\CA
2008-09-15 15:31 . 2008-09-15 15:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CA
2008-09-15 15:31 . 2008-09-15 15:32   880,560   --a------   C:\WINDOWS\system32\drivers\vetefile.sys
2008-09-15 15:31 . 2008-09-15 15:32   108,368   --a------   C:\WINDOWS\system32\drivers\veteboot.sys
2008-09-15 15:31 . 2008-01-11 21:30   99,592   --a------   C:\WINDOWS\system32\isafeif.dll
2008-09-15 15:31 . 2008-09-15 15:32   91,376   --a------   C:\WINDOWS\system32\isafprod.dll
2008-09-15 15:31 . 2008-01-11 21:30   83,256   --a------   C:\WINDOWS\system32\vetredir.dll
2008-09-15 15:31 . 2008-09-15 15:32   32,240   --a------   C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-09-15 15:31 . 2008-09-15 15:32   26,352   --a------   C:\WINDOWS\system32\drivers\vet-filt.sys
2008-09-15 15:31 . 2008-09-15 15:32   21,488   --a------   C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-09-15 15:31 . 2008-09-15 15:32   21,104   --a------   C:\WINDOWS\system32\drivers\vet-rec.sys
2008-09-15 15:29 . 2008-09-15 15:29   <DIR>   d--------   C:\WINDOWS\Logs
2008-09-15 15:28 . 2008-09-15 15:28   <DIR>   d--------   C:\Program Files\Sun
2008-09-15 15:28 . 2008-09-15 15:28   <DIR>   d--------   C:\Program Files\Java
2008-09-15 15:28 . 2008-09-15 15:28   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-09-15 15:28 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-09-15 15:26 . 2008-09-15 15:27   <DIR>   d--------   C:\Program Files\LimeWire
2008-09-15 15:26 . 2008-09-15 15:29   <DIR>   d--------   C:\Program Files\Direct X
2008-09-15 10:18 . 2008-09-15 10:18   <DIR>   d--------   C:\Program Files\Ventrilo
2008-09-15 10:18 . 2008-09-15 10:18   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 10:17 . 2008-09-15 10:17   <DIR>   d--------   C:\Program Files\mIRC
2008-09-15 10:17 . 2008-09-15 10:17   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\mIRC
2008-09-15 10:13 . 2008-09-15 10:13   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Logitech
2008-09-15 10:13 . 2008-09-15 10:13   127,034   -r-------   C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-09-15 10:12 . 2008-09-15 10:13   <DIR>   d--------   C:\Program Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12   <DIR>   d--------   C:\Program Files\Common Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-15 10:08 . 2008-09-15 15:45   <DIR>   d--------   C:\Program Files\middle_man
2008-09-15 10:06 . 2008-09-15 10:06   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Aim
2008-09-15 10:05 . 2008-09-15 15:38   <DIR>   d--------   C:\Program Files\Viewpoint
2008-09-15 10:05 . 2008-09-15 10:05   <DIR>   d--------   C:\Program Files\AOD
2008-09-15 10:05 . 2008-09-15 10:08   <DIR>   d--------   C:\Program Files\AIM
2008-09-15 10:05 . 2004-02-25 08:05   348,160   --a------   C:\WINDOWS\system32\msvcr71.dll
2008-09-15 10:01 . 2008-03-20 14:39   32,128   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-15 10:01 . 2008-03-20 20:36   21,504   --a------   C:\WINDOWS\system32\hidserv.dll
2008-09-15 10:01 . 2008-03-20 14:32   14,592   --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2008-09-15 10:01 . 2001-08-17 08:48   12,160   --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-15 10:01 . 2008-03-20 14:38   10,368   --a------   C:\WINDOWS\system32\drivers\hidusb.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 19:41   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-09-16 00:51   507,904   ----a-w   C:\WINDOWS\system32\winlogon.exe
2008-09-16 00:51   295,424   ----a-w   C:\WINDOWS\system32\termsrv.dll
2008-09-15 14:12   0   ---ha-w   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-15 14:12   0   ---ha-w   C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-09-15 14:12   ---------   d-----w   C:\Program Files\Common Files\Ahead
2008-09-15 14:11   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-09-15 12:54   ---------   d---a-w   C:\Program Files\(HDTune)
2008-09-15 12:46   ---------   d-----w   C:\Program Files\Nero
2008-09-15 12:41   ---------   d-----w   C:\Program Files\Microsoft.NET
2008-09-15 12:41   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-09-15 12:38   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-15 12:34   ---------   d-----w   C:\Program Files\office 2003 pro
2008-09-15 12:30   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-09-15 12:29   ---------   d-----w   C:\Program Files\Common Files\Adobe Systems Shared
2008-09-15 12:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-09-15 12:25   ---------   d-----w   C:\Program Files\Analog Devices
2008-09-15 12:24   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\U3
2008-09-15 11:56   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-09-15 11:53   ---------   d-----w   C:\Program Files\Opera
2008-07-31 14:41   68,616   ----a-w   C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 14:41   238,088   ----a-w   C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 14:40   509,448   ----a-w   C:\WINDOWS\system32\XAudio2_2.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-12 12:18   467,984   ----a-w   C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 12:18   3,851,784   ----a-w   C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 12:18   1,493,528   ----a-w   C:\WINDOWS\system32\D3DCompiler_39.dll
.

------- Sigcheck -------

2008-06-20 06:45  360320  2a5554fc5b1e04e131230e3ce035c3f9   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2GDR\tcpip.sys
2008-06-20 06:44  360960  744e57c99232201ae98c49168b918f48   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2QFE\tcpip.sys
2008-06-20 07:51  361600  9aefa14bd6b182d61e3119fa5f436d3d   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3GDR\tcpip.sys
2008-06-20 07:59  361600  ad978a1b783b5719720cff204b666c8e   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3QFE\tcpip.sys
2008-05-03 08:00  361344  37d8387cbd4437c55f454209be10ef11   C:\WINDOWS\system32\drivers\tcpip.sys

2008-09-15 20:51  507904  a8f7ab40d4b2478fdcb4adc1291a9d52   C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-09-15 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-15 234736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-13 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-09-15 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-09-15 688128]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-09-15 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=


*Newly Created Service* - PROCEXP90
*Newly Created Service* - SR
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 00:30:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\prio.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\prio.dll
.
Completion time: 2008-09-17  0:32:33
ComboFix-quarantined-files.txt  2008-09-17 04:32:09

Pre-Run: 32,414,777,344 bytes free
Post-Run: 32,412,381,184 bytes free

200






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:21 AM, on 9/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5190 bytes


There they are. Also, my computer tends to just turn off randomly over a period of time. Seems it varies from 10 minutes, to a few hours, a day or two etc. I just got a brand new motherboard so it cant be dead capacitors. Could it be my wireless mouse and keyboard plus the WiFi Connector that could cause this?

And things are running fine.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #12 on: September 15, 2008, 11:14:55 PM »
Did you uninstall Prio?

Was your computer restarting or just shutting down?
Has it done this since we have used SDFix and Malwarebytes?

Also, just as a double check
go to this link

http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to  'Upload a File'
Or Browse to the file

C:\WINDOWS\system32\prio.dll
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #13 on: September 15, 2008, 11:18:39 PM »
Yes i deleted it from Add/Remove programs so it wont let me paste it. And it would just shut down. The computer is still running because i hear it but the screen just goes black and i have to restart the computer. And it hasnt done it since we used those 2 things.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #14 on: September 15, 2008, 11:21:39 PM »
Can you use the browse button at Virustotal and see if you can navigate to the file
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #15 on: September 15, 2008, 11:29:44 PM »
It's not there.

Only prio.ini is there.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #16 on: September 15, 2008, 11:38:45 PM »
Can you do the following please
Download [color=\"blue\"]OTMoveIt2.exe[/color] by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the Blue entries below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

    ================================================

    [color=\"#0000FF\"]C:\WINDOWS\system32\prio.dll
    C:\WINDOWS\system32\prio.ini[/color]



    ======================================================
  • Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window  and choose "Paste".
  • Click the red "[color=\"red\"]MoveIt![/color]" button.
  • Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]:  If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log

If your machine was not prompted to reboot by OTMoveit
Can you reboot your computer manually

Back in Windows
Can you run ComboFix again, this time just double click on ComboFix.exe
When the log opens, post the contents please

In addition, can you post the log from OTMoveit
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #17 on: September 15, 2008, 11:58:05 PM »
File/Folder C:\WINDOWS\system32\prio.dll not found.
C:\WINDOWS\system32\prio.ini moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09172008_011753




ComboFix 08-09-15.02 - Administrator 2008-09-17  1:20:55.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\My Documents\Installations\ComboFix.exe

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((   Files Created from 2008-08-17 to 2008-09-17  )))))))))))))))))))))))))))))))
.

2008-09-17 01:17 . 2008-09-17 01:17   <DIR>   d--------   C:\_OTMoveIt
2008-09-17 00:54 . 2008-09-17 00:55   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-09-16 21:59 . 2008-09-16 21:59   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 21:59 . 2008-09-16 21:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-16 21:59   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-16 21:59 . 2008-09-08 00:11   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 21:59 . 2008-09-08 00:11   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-16 21:51 . 2008-09-16 21:51   <DIR>   d--------   C:\WINDOWS\system32\xircom
2008-09-16 21:51 . 2008-09-16 21:51   <DIR>   d--------   C:\Program Files\microsoft frontpage
2008-09-16 21:47 . 2008-09-16 21:47   578,560   --a------   C:\WINDOWS\system32\dllcache\user32.dll
2008-09-16 21:46 . 2008-09-16 21:47   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-09-16 15:41 . 2008-09-16 15:41   <DIR>   d--------   C:\mGame
2008-09-16 15:41 . 2008-09-16 15:41   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-09-15 22:44 . 2001-08-17 22:36   8,704   --a------   C:\WINDOWS\system32\kbdjpn.dll
2008-09-15 22:44 . 2001-08-17 22:36   8,192   --a------   C:\WINDOWS\system32\kbdkor.dll
2008-09-15 22:44 . 2008-03-21 01:33   6,144   --a------   C:\WINDOWS\system32\kbd106.dll
2008-09-15 22:44 . 2001-08-17 14:55   6,144   --a------   C:\WINDOWS\system32\kbd101c.dll
2008-09-15 22:44 . 2001-08-17 14:55   6,144   --a------   C:\WINDOWS\system32\kbd101b.dll
2008-09-15 22:44 . 2001-08-17 14:55   5,632   --a------   C:\WINDOWS\system32\kbd103.dll
2008-09-15 22:43 . 2008-09-15 22:44   <DIR>   d--------   C:\WINDOWS\CAVTemp
2008-09-15 17:12 . 2008-09-17 01:08   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-09-15 15:34 . 2008-09-15 15:34   <DIR>   d--------   C:\Program Files\WiFiConnector
2008-09-15 15:31 . 2008-09-15 15:31   <DIR>   d--------   C:\Program Files\CA
2008-09-15 15:31 . 2008-09-15 15:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CA
2008-09-15 15:31 . 2008-09-15 15:32   880,560   --a------   C:\WINDOWS\system32\drivers\vetefile.sys
2008-09-15 15:31 . 2008-09-15 15:32   108,368   --a------   C:\WINDOWS\system32\drivers\veteboot.sys
2008-09-15 15:31 . 2008-01-11 21:30   99,592   --a------   C:\WINDOWS\system32\isafeif.dll
2008-09-15 15:31 . 2008-09-15 15:32   91,376   --a------   C:\WINDOWS\system32\isafprod.dll
2008-09-15 15:31 . 2008-01-11 21:30   83,256   --a------   C:\WINDOWS\system32\vetredir.dll
2008-09-15 15:31 . 2008-09-15 15:32   32,240   --a------   C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-09-15 15:31 . 2008-09-15 15:32   26,352   --a------   C:\WINDOWS\system32\drivers\vet-filt.sys
2008-09-15 15:31 . 2008-09-15 15:32   21,488   --a------   C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-09-15 15:31 . 2008-09-15 15:32   21,104   --a------   C:\WINDOWS\system32\drivers\vet-rec.sys
2008-09-15 15:29 . 2008-09-15 15:29   <DIR>   d--------   C:\WINDOWS\Logs
2008-09-15 15:28 . 2008-09-15 15:28   <DIR>   d--------   C:\Program Files\Sun
2008-09-15 15:28 . 2008-09-15 15:28   <DIR>   d--------   C:\Program Files\Java
2008-09-15 15:28 . 2008-09-15 15:28   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-09-15 15:28 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-09-15 15:26 . 2008-09-15 15:27   <DIR>   d--------   C:\Program Files\LimeWire
2008-09-15 15:26 . 2008-09-15 15:29   <DIR>   d--------   C:\Program Files\Direct X
2008-09-15 10:18 . 2008-09-15 10:18   <DIR>   d--------   C:\Program Files\Ventrilo
2008-09-15 10:18 . 2008-09-15 10:18   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 10:17 . 2008-09-15 10:17   <DIR>   d--------   C:\Program Files\mIRC
2008-09-15 10:17 . 2008-09-15 10:17   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\mIRC
2008-09-15 10:13 . 2008-09-15 10:13   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Logitech
2008-09-15 10:13 . 2008-09-15 10:13   127,034   -r-------   C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-09-15 10:12 . 2008-09-15 10:13   <DIR>   d--------   C:\Program Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12   <DIR>   d--------   C:\Program Files\Common Files\Logitech
2008-09-15 10:12 . 2008-09-15 10:12   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-15 10:08 . 2008-09-15 15:45   <DIR>   d--------   C:\Program Files\middle_man
2008-09-15 10:06 . 2008-09-15 10:06   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Aim
2008-09-15 10:05 . 2008-09-15 15:38   <DIR>   d--------   C:\Program Files\Viewpoint
2008-09-15 10:05 . 2008-09-15 10:05   <DIR>   d--------   C:\Program Files\AOD
2008-09-15 10:05 . 2008-09-15 10:08   <DIR>   d--------   C:\Program Files\AIM
2008-09-15 10:05 . 2004-02-25 08:05   348,160   --a------   C:\WINDOWS\system32\msvcr71.dll
2008-09-15 10:01 . 2008-03-20 14:39   32,128   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-15 10:01 . 2008-03-20 20:36   21,504   --a------   C:\WINDOWS\system32\hidserv.dll
2008-09-15 10:01 . 2008-03-20 14:32   14,592   --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2008-09-15 10:01 . 2001-08-17 08:48   12,160   --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-15 10:01 . 2008-03-20 14:38   10,368   --a------   C:\WINDOWS\system32\drivers\hidusb.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 19:41   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-09-16 00:51   507,904   ----a-w   C:\WINDOWS\system32\winlogon.exe
2008-09-16 00:51   295,424   ----a-w   C:\WINDOWS\system32\termsrv.dll
2008-09-15 14:12   0   ---ha-w   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-15 14:12   0   ---ha-w   C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-09-15 14:12   ---------   d-----w   C:\Program Files\Common Files\Ahead
2008-09-15 14:11   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-09-15 12:54   ---------   d---a-w   C:\Program Files\(HDTune)
2008-09-15 12:46   ---------   d-----w   C:\Program Files\Nero
2008-09-15 12:41   ---------   d-----w   C:\Program Files\Microsoft.NET
2008-09-15 12:41   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-09-15 12:38   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-15 12:34   ---------   d-----w   C:\Program Files\office 2003 pro
2008-09-15 12:30   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-09-15 12:29   ---------   d-----w   C:\Program Files\Common Files\Adobe Systems Shared
2008-09-15 12:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-09-15 12:25   ---------   d-----w   C:\Program Files\Analog Devices
2008-09-15 12:24   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\U3
2008-09-15 11:56   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-09-15 11:53   ---------   d-----w   C:\Program Files\Opera
2008-07-31 14:41   68,616   ----a-w   C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 14:41   238,088   ----a-w   C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 14:40   509,448   ----a-w   C:\WINDOWS\system32\XAudio2_2.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-12 12:18   467,984   ----a-w   C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 12:18   3,851,784   ----a-w   C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 12:18   1,493,528   ----a-w   C:\WINDOWS\system32\D3DCompiler_39.dll
.

------- Sigcheck -------

2008-06-20 06:45  360320  2a5554fc5b1e04e131230e3ce035c3f9   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2GDR\tcpip.sys
2008-06-20 06:44  360960  744e57c99232201ae98c49168b918f48   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP2QFE\tcpip.sys
2008-06-20 07:51  361600  9aefa14bd6b182d61e3119fa5f436d3d   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3GDR\tcpip.sys
2008-06-20 07:59  361600  ad978a1b783b5719720cff204b666c8e   C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\SP3QFE\tcpip.sys
2008-05-03 08:00  361344  37d8387cbd4437c55f454209be10ef11   C:\WINDOWS\system32\drivers\tcpip.sys

2008-09-15 20:51  507904  a8f7ab40d4b2478fdcb4adc1291a9d52   C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-09-15 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-15 234736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-13 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-09-15 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-09-15 688128]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-09-15 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=


*Newly Created Service* - PROCEXP90
*Newly Created Service* - SR
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v85yoeek.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.myspace.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 01:25:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\prio.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\prio.dll
.
Completion time: 2008-09-17  1:28:22
ComboFix-quarantined-files.txt  2008-09-17 05:27:54

Pre-Run: 32,402,165,760 bytes free
Post-Run: 32,393,220,096 bytes free

203
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Background Showing Scamware
« Reply #18 on: September 16, 2008, 09:24:08 AM »
Go to the following link
http://www.billsway.com/vbspage/
Scroll down the page
and download the "Registry Search Tool"
Unzip RegSrch.zip to the desktop
Double click on RegSrch.vbs

**If you get a warning from your Anti Virus please ignore it and allow this to run.**
When it starts, you will be prompted to enter a search phrase.
Enter this:

Prio

Click OK, it will disappear and won't look as if it's doing anything. When it's done searching, a prompt will come up saying how many instances it found. Click OK, and a notepad will open up.
Can you save this text file to your desktop
It will be quite long

Then come back here and upload the file please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Athrin

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +0/-0
    • View Profile
    • http://www.myspace.com/prisonofeternaltorture
Background Showing Scamware
« Reply #19 on: September 16, 2008, 01:29:29 PM »
Alright, here it is.
Logged
Pages: [1] 2
« previous next »