MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: HJT Log
June 02, 2020, 10:05:31 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 02, 2020, 10:05:31 PM

Login with username, password and session length
 Featured Sites:
News
Article Writers We are looking for quality, informational articles to add to our Computer Articles
Please contact us if you are interested in submitting some....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: HJT Log  (Read 2426 times)
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« on: July 12, 2008, 08:09:55 AM »

Hi,

Am wondering if someone can help me... A few days ago I started having some weird things happen on my computer. Everytime I try to watch a movie (or play a game) it will minimize and I can see a strange program open in my task manager. "mpe10108.exe" it's called.
I close it and after about 15 mins it opens up again. Pretty sure it's something bad but no idea how to get rid of it.
Anyway - HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 6:02:56 PM, on 12/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jo\Desktop\Bluevex 5.3\Bluevex 5.3\Blu.exe
C:\Program Files\Diablo II\Game.exe
C:\WINDOWS\system32\rundll32.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lorbs.livejournal.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [lifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000002.00000002&b=00000082.0000000f.0000001b&c=00000082.00000010.00000020&d=00000082.00000015.00000022&e=00000082.00000049.000000b9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab50997.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\WINDOWS\system32\iprepair.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


I appreciate any help <3
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: July 13, 2008, 11:27:49 PM »

I cant see any malware in your log but lets see if anything is hidding.

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This  applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.



Logged

An Australian Member of

EDDY
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #2 on: July 14, 2008, 08:35:05 AM »

Hi Pancake

Here is the combofix log:


ComboFix 08-07-13.9 - Jo 2008-07-14 18:15:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.248 [GMT 10:00]
Running from: C:\Documents and Settings\Jo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jo\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSINET.oca

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NEW_DRV
-------\Service_new_drv


(((((((((((((((((((((((((   Files Created from 2008-06-14 to 2008-07-14  )))))))))))))))))))))))))))))))
.

2008-07-12 22:13 . 2008-07-12 22:13   35,842   --a------   C:\WINDOWS\system32\mPE10108.exe
2008-07-12 22:13 . 2008-07-12 22:13   0   --a------   C:\WINDOWS\system32\mPE10108.exe.a_a
2008-07-11 17:04 . 2008-07-11 17:04   29,760   --a------   C:\WINDOWS\system32\364l5jxB.exe
2008-07-10 22:58 . 2008-07-10 22:58   <DIR>   d--------   C:\WINDOWS\system32\XPSViewer
2008-07-10 22:58 . 2008-07-10 22:58   <DIR>   d--------   C:\Program Files\Reference Assemblies
2008-07-10 22:58 . 2008-07-10 22:58   <DIR>   d--------   C:\Program Files\MSBuild
2008-07-10 22:57 . 2006-06-29 13:07   14,048   ---------   C:\WINDOWS\system32\spmsg2.dll
2008-07-10 22:56 . 2008-07-10 22:56   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-06-24 14:01 . 2008-06-24 14:55   <DIR>   d--------   C:\Documents and Settings\Jo\Application Data\U3
2008-06-24 13:29 . 2008-06-24 13:29   <DIR>   d--------   C:\Memorex Vault
2008-06-21 03:41 . 2008-06-21 03:41   245,248   -----c---   C:\WINDOWS\system32\dllcache\mswsock.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 08:11   ---------   d-----w   C:\Program Files\Diablo II
2008-07-12 14:48   ---------   d-----w   C:\Program Files\Common Files\LogiShrd
2008-07-12 07:28   ---------   d-----w   C:\Program Files\Ad-aware 6
2008-06-20 10:45   360,320   ------w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ------w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ------w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 08:37   ---------   d-----w   C:\Program Files\Motorola Phone Tools
2008-06-13 08:35   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-13 08:03   ---------   d-----w   C:\Program Files\Avanquest update
2008-06-08 06:18   ---------   d-----w   C:\Program Files\SystemRequirementsLab
2008-06-08 06:18   ---------   d-----w   C:\Documents and Settings\Jo\Application Data\SystemRequirementsLab
2008-06-03 14:37   ---------   d-----w   C:\Program Files\Mozilla Thunderbird
.

------- Sigcheck -------

Cryptography Services Error !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 13:46 709992]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 13:45 279912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 02:10 55824 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\Jo\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-23 19:15:05 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-11 21:18:23 784912]
WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-03-11 23:30:04 61440]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 00000000
"NoFind"= 00000000
"NoRun"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoClose"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"C:\\Program Files\\CoffeeCup Software\\Coffee.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\Program Files\AIM\aim.exe"= C:\Program Files\AIM\aim.exe
"C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe"= C:\Program Files\Adobe\Photoshop 6.0\P
"C:\Program Files\Yahoo!\Messenger\YServer.exe"= C:\Program Files\Yahoo!\Messenger\YServer.exe
"C:\\Program Files\\Sony Ericsson\\Update Service\\ma3platform.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\Diablo II\\Diablo II.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:D2-1
"6112:TCP"= 6112:TCP:D2-2
"6113:TCP"= 6113:TCP:D2-3
"6114:TCP"= 6114:TCP:D2-4
"6115:TCP"= 6115:TCP:D2-5
"6116:TCP"= 6116:TCP:D2-6
"6117:TCP"= 6117:TCP:D2-7
"6118:TCP"= 6118:TCP:D2-8
"6119:TCP"= 6119:TCP:D2-9
"6112:UDP"= 6112:UDP:D3-1
"6113:UDP"= 6113:UDP:D2-2
"6114:UDP"= 6114:UDP:D3-3
"6115:UDP"= 6115:UDP:D3-4
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6881:UDP"= 6881:UDP:Azureus

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R0 viaraid;viaraid;C:\WINDOWS\system32\DRIVERS\viaraid.sys [2003-10-21 16:03]
R2 MSCamSvc;MSCamSvc;c:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 13:45]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2006-12-13 19:00]
S3 UDTT2BDA;DTV-DVB USB2 DVB-T receiver;C:\WINDOWS\system32\Drivers\UDTT2BDA.sys [2006-06-22 08:57]
S3 UDTT2HID;UDTT2HID - USB 2.0 HID Driver;C:\WINDOWS\system32\drivers\UDTT2HID.sys [2006-06-28 16:07]
S3 VERYSPLIT;VerySoft WebCamSplitter, WDM Streaming Driver;C:\WINDOWS\system32\DRIVERS\verysplit.sys [2006-03-07 18:07]
S3 VSAudio;VerySoft Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vsaudio.sys [2006-02-27 20:50]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 13:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6b5ce31-4198-11dd-b05e-000c6ee9b9f5}]
\Shell\AutoRun\command - E:\PortableVault.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 07:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-07-12 14:53:01 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 06:00:03 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 07:00:01 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-14 08:00:02 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 15:00:01 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-13 09:00:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 10:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 11:00:02 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-13 12:00:04 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 14:15:36 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 15:00:30 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 22:03:13 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\mPE10108.exe

"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 17:00:01 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 06:49:43 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 07:00:58 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-14 08:01:27 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-13 11:04:08 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 10:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 11:00:10 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-13 12:00:34 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:32 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2007-06-13 04:39:34 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
Notify-WgaLogon - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 18:20:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-07-14 18:24:51 - machine was rebooted [Jo]
ComboFix-quarantined-files.txt  2008-07-14 08:24:48

Pre-Run: 8,850,993,152 bytes free
Post-Run: 8,734,408,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

280   --- E O F ---   2008-07-11 03:02:03
Logged
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #3 on: July 14, 2008, 08:35:29 AM »

and HJT


Logfile of HijackThis v1.99.1
Scan saved at 6:30:07 PM, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lorbs.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [lifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000002.00000002&b=00000082.0000000f.0000001b&c=00000082.00000010.00000020&d=00000082.00000015.00000022&e=00000082.00000049.000000b9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab50997.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Just to mention that the top few files of the combo fix log (mPE10108.exe and the following 2) are the ones that keep opening themselves and minimizing all my windows... so pretty sure they are the problem.

Thanks!
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: July 14, 2008, 08:46:04 AM »


We need to clean this Lop infection.Download and unzip to one folder:
http://metallica.geekstogo.com/findlop.zip

Inside the folder find findlop.bat

Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.


===================================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote



File::
  C:\WINDOWS\system32\mPE10108.exe
C:\WINDOWS\system32\mPE10108.exe.a_a
 C:\WINDOWS\system32\364l5jxB.exe


 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #5 on: July 14, 2008, 09:05:40 AM »

ComboFix 08-07-13.9 - Jo 2008-07-14 18:59:20.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.249 [GMT 10:00]
Running from: C:\Documents and Settings\Jo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jo\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
C:\WINDOWS\system32\364l5jxB.exe
C:\WINDOWS\system32\mPE10108.exe
C:\WINDOWS\system32\mPE10108.exe.a_a
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\364l5jxB.exe
C:\WINDOWS\system32\mPE10108.exe
C:\WINDOWS\system32\mPE10108.exe.a_a

.
(((((((((((((((((((((((((   Files Created from 2008-06-14 to 2008-07-14  )))))))))))))))))))))))))))))))
.

2008-07-10 22:58 . 2008-07-10 22:58   <DIR>   d--------   C:\WINDOWS\system32\XPSViewer
2008-07-10 22:58 . 2008-07-10 22:58   <DIR>   d--------   C:\Program Files\Reference Assemblies
2008-07-10 22:58 . 2008-07-10 22:58   <DIR>   d--------   C:\Program Files\MSBuild
2008-07-10 22:57 . 2006-06-29 13:07   14,048   ---------   C:\WINDOWS\system32\spmsg2.dll
2008-07-10 22:56 . 2008-07-10 22:56   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-06-24 14:01 . 2008-06-24 14:55   <DIR>   d--------   C:\Documents and Settings\Jo\Application Data\U3
2008-06-24 13:29 . 2008-06-24 13:29   <DIR>   d--------   C:\Memorex Vault
2008-06-21 03:41 . 2008-06-21 03:41   245,248   -----c---   C:\WINDOWS\system32\dllcache\mswsock.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 08:11   ---------   d-----w   C:\Program Files\Diablo II
2008-07-12 14:48   ---------   d-----w   C:\Program Files\Common Files\LogiShrd
2008-07-12 07:28   ---------   d-----w   C:\Program Files\Ad-aware 6
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ------w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ------w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ------w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 08:37   ---------   d-----w   C:\Program Files\Motorola Phone Tools
2008-06-13 08:35   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-13 08:03   ---------   d-----w   C:\Program Files\Avanquest update
2008-06-08 06:18   ---------   d-----w   C:\Program Files\SystemRequirementsLab
2008-06-08 06:18   ---------   d-----w   C:\Documents and Settings\Jo\Application Data\SystemRequirementsLab
2008-06-03 14:37   ---------   d-----w   C:\Program Files\Mozilla Thunderbird
2008-05-07 05:18   1,287,680   ------w   C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04   659,456   ----a-w   C:\WINDOWS\system32\wininet.dll
2003-06-03 13:49   448,256   -c--a-w   C:\WINDOWS\inf\EL2K_N64.sys
2003-06-03 13:48   147,328   -c--a-w   C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 13:47   147,328   -c--a-w   C:\WINDOWS\inf\EL2K_2K.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-07-14_18.24.30.35   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-05-25 07:59:58   9,028   -c--a-w   C:\WINDOWS\mozver.dat
+ 2008-07-14 08:41:48   11,239   -c--a-w   C:\WINDOWS\mozver.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 13:46 709992]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 13:45 279912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 02:10 55824 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\Jo\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-23 19:15:05 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-11 21:18:23 784912]
WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2007-03-11 23:30:04 61440]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 00000000
"NoFind"= 00000000
"NoRun"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoClose"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"C:\\Program Files\\CoffeeCup Software\\Coffee.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\Program Files\AIM\aim.exe"= C:\Program Files\AIM\aim.exe
"C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe"= C:\Program Files\Adobe\Photoshop 6.0\P
"C:\Program Files\Yahoo!\Messenger\YServer.exe"= C:\Program Files\Yahoo!\Messenger\YServer.exe
"C:\\Program Files\\Sony Ericsson\\Update Service\\ma3platform.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\Diablo II\\Diablo II.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:D2-1
"6112:TCP"= 6112:TCP:D2-2
"6113:TCP"= 6113:TCP:D2-3
"6114:TCP"= 6114:TCP:D2-4
"6115:TCP"= 6115:TCP:D2-5
"6116:TCP"= 6116:TCP:D2-6
"6117:TCP"= 6117:TCP:D2-7
"6118:TCP"= 6118:TCP:D2-8
"6119:TCP"= 6119:TCP:D2-9
"6112:UDP"= 6112:UDP:D3-1
"6113:UDP"= 6113:UDP:D2-2
"6114:UDP"= 6114:UDP:D3-3
"6115:UDP"= 6115:UDP:D3-4
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6881:UDP"= 6881:UDP:Azureus

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R0 viaraid;viaraid;C:\WINDOWS\system32\DRIVERS\viaraid.sys [2003-10-21 16:03]
R2 MSCamSvc;MSCamSvc;c:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 13:45]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2006-12-13 19:00]
S3 UDTT2BDA;DTV-DVB USB2 DVB-T receiver;C:\WINDOWS\system32\Drivers\UDTT2BDA.sys [2006-06-22 08:57]
S3 UDTT2HID;UDTT2HID - USB 2.0 HID Driver;C:\WINDOWS\system32\drivers\UDTT2HID.sys [2006-06-28 16:07]
S3 VERYSPLIT;VerySoft WebCamSplitter, WDM Streaming Driver;C:\WINDOWS\system32\DRIVERS\verysplit.sys [2006-03-07 18:07]
S3 VSAudio;VerySoft Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vsaudio.sys [2006-02-27 20:50]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 13:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6b5ce31-4198-11dd-b05e-000c6ee9b9f5}]
\Shell\AutoRun\command - E:\PortableVault.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 07:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-07-12 14:53:01 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 06:00:03 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 07:00:01 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-14 08:00:02 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 15:00:01 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-13 09:00:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 10:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 11:00:02 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-13 12:00:04 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-12 14:15:36 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 15:00:30 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 22:03:13 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\mPE10108.exe

"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 17:00:01 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:16:31 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 06:49:43 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 07:00:58 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-14 08:01:27 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-13 11:04:08 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 10:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-12 11:00:10 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-13 12:00:34 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:16:32 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\mPE10108.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2008-07-11 07:04:42 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\364l5jxB.exe
"2007-06-13 04:39:34 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 19:02:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-14 19:02:53
ComboFix-quarantined-files.txt  2008-07-14 09:02:50
ComboFix2.txt  2008-07-14 08:24:52

Pre-Run: 8,870,035,456 bytes free
Post-Run: 8,854,884,352 bytes free

269   --- E O F ---   2008-07-11 03:02:03
Logged
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #6 on: July 14, 2008, 09:10:40 AM »

Logfile of HijackThis v1.99.1
Scan saved at 7:10:37 PM, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lorbs.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [lifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000002.00000002&b=00000082.0000000f.0000001b&c=00000082.00000010.00000020&d=00000082.00000015.00000022&e=00000082.00000049.000000b9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab50997.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Logged
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #7 on: July 14, 2008, 09:13:00 AM »

For some reason it wont let me post the findlop file (says I can't post anything with an empty body... ?)


I have uploaded it to my website
http://sage.host.sk/findlop.txt
« Last Edit: July 14, 2008, 09:38:07 AM by Joanne » Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: July 14, 2008, 10:44:50 AM »

I cant get on your web site.It says I have no permission.


  Please download Malwarebytes' Anti-Malware from one of these places:

 http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
« Last Edit: July 14, 2008, 10:52:05 AM by Pancake » Logged

An Australian Member of

EDDY
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #9 on: July 14, 2008, 11:08:45 AM »

Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 2

9:08:10 PM 14/07/2008
mbam-log-7-14-2008 (21-08-10).txt

Scan type: Quick Scan
Objects scanned: 45936
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
Logged
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #10 on: July 14, 2008, 11:09:15 AM »

Logfile of HijackThis v1.99.1
Scan saved at 9:09:13 PM, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jo\Desktop\Bluevex 5.3\Bluevex 5.3\Blu.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lorbs.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [lifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000002.00000002&b=00000082.0000000f.0000001b&c=00000082.00000010.00000020&d=00000082.00000015.00000022&e=00000082.00000049.000000b9
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab50997.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: July 14, 2008, 11:29:05 AM »

That looks ok.You should be fine now...


This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below  and click OK.

Quote

ComboFix /u

Logged

An Australian Member of

EDDY
Joanne
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 54



Bookmark and Share

View Profile
« Reply #12 on: July 14, 2008, 11:44:23 AM »

Thankyou for all your help/time Pancake! :-)
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #13 on: July 14, 2008, 10:38:25 PM »

Your welcome.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 29, 2018, 03:47:07 PM