MSN MSIE Wont connect, virus. OH NOES!

Page 3 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Blackhawk, where are you seeing svhost? You've mentioned it a couple of times. but none of the logs show it.

If you mean svchost, it is normal for there to be multiple instances of this process running.

Processlibrary.com is an excellent source of information, I often use it myself, but unless the result is definite I don't action anything.

Kevin, we are almost at the stage where an online scan is run, please don't delete or alter anything until we have that log. It will be one of the last things we need to do.

 
YEAH! i mean svchost, srry for misspelling, I know its normal but its known to also be a virus that mimics its name :)

-And this is funny, I just caught as we speak some virus called heur.dropper and every ten seconds when it tries to activate itself, my AVG catches it and i move it to the virus vault, right now I while AVG keeps it on a leash, I am scanning with malwarebytes to finish the job :) AVG+Malwarebytes=Perfect Combination
 
It's all good. No harm, no foul.

You have to keep in mind malware writers do their best to disguise normal running processes as their own. There are many examples of this.

svchost vs scvhost is but one.

msmsgs is another, older version of messenger which came pre-installed on a MS OS.

The best thing ever is the copy and paste function, this eliminates 1's and l's and sneakily included characters.

One example exists in the current thread is with flashd32.dll, notice the d hidden sneakily between flash and 32?
 
ComboFix 09-07-14.08 - kev 07/18/2009 13:41.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2158 [GMT -4:00]
Running from: c:\documents and settings\kev\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kev\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active


FILE ::
"C:\vfjmbvbg.exe"
"c:\windows\system32\drivers\cbdf3c78.sys"
"c:\windows\system32\flashd32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cbdf3c78.sys
c:\windows\system32\flashd32.dll
.
---- Previous Run -------
.
c:\documents and settings\kev\Application Data\bcrypt.html
c:\documents and settings\kev\Application Data\inst.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\010112010146118114.dat
c:\windows\system32\ATIODCLI.exe
c:\windows\system32\ATIODE.exe
c:\windows\system32\drivers\hjgruimugohrfu.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\hjgruiakwuisux.dat
c:\windows\system32\hjgruinqtacyvt.dll
c:\windows\system32\hjgruinwovsuab.dll
c:\windows\system32\hjgruiycxmjqnm.dat
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\uuddc32.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiyfvxjeao
-------\Legacy_acpi32
-------\Legacy_npf
-------\Legacy_sfx
-------\Legacy_sfxdrv
-------\Service_npf
-------\Service_sfx
-------\Service_cbdf3c78


((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-18 17:06 . 2009-07-18 17:06 -------- d-----w- c:\documents and settings\kev\Application Data\ESET
2009-07-18 17:03 . 2009-07-18 17:03 -------- d-----w- c:\program files\ESET
2009-07-17 23:07 . 2009-07-18 00:56 -------- d-----w- c:\program files\ICQ6.5
2009-07-17 04:22 . 2009-07-18 17:41 -------- d-----w- c:\documents and settings\kev\Local Settings\Application Data\ESET
2009-07-16 04:30 . 2009-07-16 07:11 -------- d-----w- c:\program files\Trillian
2009-07-16 03:48 . 2009-07-18 19:38 117760 ----a-w- c:\documents and settings\kev\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 03:44 . 2009-07-16 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-16 03:43 . 2009-07-16 03:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 03:43 . 2009-07-16 03:43 -------- d-----w- c:\documents and settings\kev\Application Data\SUPERAntiSpyware.com
2009-07-16 03:34 . 2009-07-16 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-16 00:16 . 2009-07-16 00:16 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2009-07-15 14:25 . 2009-07-15 14:25 8224 ----a-w- c:\documents and settings\Administrator.PIMP-6BVMACV9YE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 14:25 . 2009-07-15 14:25 -------- d-----w- c:\documents and settings\Administrator.PIMP-6BVMACV9YE\Application Data\Ahead
2009-07-15 14:25 . 2009-07-15 14:25 -------- d-----w- c:\documents and settings\Administrator.PIMP-6BVMACV9YE\Local Settings\Application Data\Ahead
2009-07-15 04:26 . 2009-07-15 04:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-15 04:26 . 2009-07-15 04:27 -------- d-----w- c:\documents and settings\kev\.housecall6.6
2009-07-15 04:19 . 2009-07-15 04:19 -------- d-----w- c:\program files\Trend Micro
2009-07-14 05:55 . 2009-07-18 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-14 05:44 . 2009-07-14 05:44 0 ----a-w- c:\windows\nsreg.dat
2009-07-14 05:44 . 2009-07-14 05:44 -------- d-----w- c:\documents and settings\kev\Local Settings\Application Data\Mozilla
2009-07-13 04:30 . 2009-07-14 02:42 -------- d-----w- c:\program files\Easy-Hide-IP
2009-07-07 06:06 . 2009-07-07 06:06 -------- d-----w- c:\windows\system32\NtmsData
2009-06-28 00:21 . 2009-06-28 00:21 -------- d-----w- c:\documents and settings\kev\Report Files
2009-06-28 00:12 . 2009-06-28 00:15 1024 ---h--r- c:\windows\system32\NTIBUN4.dll
2009-06-28 00:12 . 2009-06-28 00:12 6144 ----a-w- c:\windows\system32\drivers\NTIDrvr.sys
2009-06-24 01:53 . 2009-06-24 01:55 -------- d-----w- c:\documents and settings\kev\Application Data\Winamp
2009-06-24 01:53 . 2009-06-24 01:55 -------- d-----w- c:\program files\Winamp
2009-06-21 04:47 . 2009-06-21 04:47 -------- d-----w- c:\program files\QuickTime
2009-06-21 04:47 . 2009-06-21 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 19:39 . 2009-02-01 19:31 -------- d-----w- c:\program files\Steam
2009-07-18 19:38 . 2008-08-16 02:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-18 16:32 . 2009-06-18 03:19 -------- d-----w- c:\program files\SpeedFan
2009-07-18 01:54 . 2009-01-29 02:54 -------- d-----w- c:\program files\Hard Disk Sentinel
2009-07-17 23:08 . 2008-08-10 13:25 -------- d-----w- c:\program files\ICQ6
2009-07-17 22:30 . 2009-06-11 05:49 -------- d-----w- c:\program files\FreeRapid-0.82
2009-07-17 08:06 . 2009-04-10 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-17 04:27 . 2004-08-04 15:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-16 03:53 . 2009-01-24 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-16 03:43 . 2009-01-24 03:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 03:37 . 2008-07-01 16:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-16 01:21 . 2008-09-13 15:37 -------- d-----w- c:\program files\FlashFXP
2009-07-15 04:11 . 2009-01-24 06:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-14 12:53 . 2008-07-01 15:02 70064 ----a-w- c:\documents and settings\kev\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 04:56 . 2008-07-01 15:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-14 02:41 . 2009-01-24 03:33 -------- d-----w- c:\program files\Total Video Converter
2009-07-14 02:37 . 2009-01-18 22:42 -------- d-----w- c:\program files\Garena
2009-07-14 01:49 . 2009-01-31 22:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-10 21:56 . 2009-04-05 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-07-07 05:48 . 2009-07-07 05:47 -------- d-----w- c:\program files\C-Media USB Sound
2009-06-16 14:36 . 2004-08-04 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 15:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 02:31 . 2008-07-18 18:04 -------- d-----w- c:\documents and settings\kev\Application Data\Image Zone Express
2009-06-09 06:40 . 2009-06-09 06:40 -------- d-----w- c:\program files\Motherboard Monitor 5
2009-06-05 23:37 . 2009-04-27 02:59 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-06-05 23:36 . 2009-06-05 23:36 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-06-05 22:54 . 2009-06-05 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Maxtor
2009-06-05 22:54 . 2009-06-05 22:51 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-06-05 22:54 . 2009-06-05 22:51 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-06-05 22:54 . 2009-06-05 22:51 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-06-05 22:54 . 2009-06-05 22:51 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2009-06-05 22:54 . 2009-06-05 22:50 -------- d-----w- c:\program files\Common Files\Seagate
2009-06-05 22:51 . 2009-06-05 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-06-05 22:50 . 2009-06-05 22:50 -------- d-----w- c:\program files\Seagate
2009-06-03 19:09 . 2004-08-04 15:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 07:31 . 2009-04-25 21:12 -------- d-----w- c:\documents and settings\kev\Application Data\Nokia
2009-05-31 03:28 . 2009-05-31 03:28 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-31 03:28 . 2009-05-31 03:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-31 03:28 . 2009-05-31 03:28 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-05-31 03:28 . 2009-05-31 03:28 -------- d-----w- c:\program files\OpenAL
2009-05-14 03:04 . 2009-05-14 03:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-07 15:32 . 2004-08-04 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 15:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 21:28 . 2009-04-25 21:28 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-25 21:28 . 2009-04-25 21:28 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-25 21:28 . 2009-04-25 21:28 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-25 21:28 . 2009-04-25 21:29 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-04-20 04:18 . 2009-04-20 04:18 161352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-17 21:53 . 2009-07-16 02:14 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_09.54.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-18 17:53 . 2009-07-18 17:53 16384 c:\windows\temp\Perflib_Perfdata_61c.dat
+ 2009-07-18 17:53 . 2009-07-18 17:53 16384 c:\windows\temp\Perflib_Perfdata_5ac.dat
+ 2009-07-18 17:10 . 1996-01-12 21:00 24576 c:\windows\system32\STKIT432.DLL
+ 2008-07-01 13:04 . 2008-07-01 13:04 54280 c:\windows\system32\drivers\epfwtdi.sys
+ 2008-07-01 13:04 . 2008-07-01 13:04 30728 c:\windows\system32\drivers\epfwndis.sys
+ 2008-07-01 13:04 . 2008-07-01 13:04 71688 c:\windows\system32\drivers\epfw.sys
+ 2007-11-14 19:04 . 2008-07-01 12:57 53256 c:\windows\system32\drivers\easdrv.sys
+ 2007-11-14 19:03 . 2008-07-01 12:56 39944 c:\windows\system32\drivers\eamon.sys
+ 2009-07-18 17:04 . 2009-07-18 17:04 10134 c:\windows\Installer\{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}\callmsi.exe
+ 2009-07-18 17:04 . 2009-07-18 17:04 849408 c:\windows\Installer\1f6e45.msi
+ 2009-07-18 17:04 . 2009-07-18 17:04 140544 c:\windows\Installer\{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}\egui.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-03-08 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RocketDock"="c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 630784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX6000"="c:\windows\vVX6000.exe" [2007-04-10 996712]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Maxtor Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"MaxBlastMonitor.exe"="c:\program files\Seagate\DiscWizard\MaxBlastMonitor.exe" [2008-06-27 1325800]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Hard Disk Sentinel"="c:\program files\Hard Disk Sentinel\HDSentinel.exe" [2009-01-29 3407360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-03-08 3885408]

c:\documents and settings\kev\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-18 630784]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
UberIcon.lnk - c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-5-21 180224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2009-1-20 29310]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kev^Start Menu^Programs^Startup^Popup Ad Stopper.lnk]
backup=c:\windows\pss\Popup Ad Stopper.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf7husjnfg98gi498aejhiugjkdg4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcgk8j0e7er
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhclk8j0e7er
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThePrivacyGuard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows System Recover!

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Sega\\OutRun2006 Coast 2 Coast\\OR2006C2C.EXE"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"67:UDP"= 67:UDP😀HCP Discovery Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [1/19/2009 2:48 AM 355840]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\system32\drivers\fle5wnnt.sys [10/1/2008 10:42 PM 33404]
R2 FLSIFACE;FLSIface;c:\windows\system32\drivers\flsiface.sys [10/1/2008 10:42 PM 13440]
R2 FLSPAR;FLSPar;c:\windows\system32\drivers\flspar.sys [10/1/2008 10:42 PM 16314]
R2 FLSSER;FLSSer;c:\windows\system32\drivers\flsser.sys [10/1/2008 10:42 PM 8344]
R2 FLSVCOM;FLSVCom;c:\windows\system32\drivers\flsvcom.sys [10/1/2008 10:42 PM 32544]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/17/2009 11:42 PM 55152]
R2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2/12/2009 9:58 AM 603904]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [7/1/2008 11:13 AM 36864]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [7/1/2008 2:59 PM 2385896]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [7/7/2009 1:48 AM 1414528]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 7:08 PM 533360]
S3 TempLog;TempLog;c:\program files\Hard Disk Sentinel\HDSentinel.sys [1/28/2009 10:54 PM 3897]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36]

2009-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 192.168.0.1:80
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\documents and settings\kev\Application Data\Mozilla\Firefox\Profiles\diijkrzm.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 15:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AODService]
"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-2052111302-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,a2,57,6c,62,5b,85,a2,a8,9c,e9,c3,5d,5d,4c,5b,9c,92,23,53,02,a1,ad,
95,c7,06,0f,fc,e6,0a,94,67,79,c7,93,61,e3,cf,15,2d,3d,87,a4,a7,2a,38,0c,dd,\
"??"=hex:7a,c4,64,3e,f1,c6,6d,2f,35,f3,38,19,d6,30,65,29

[HKEY_USERS\S-1-5-21-1085031214-2052111302-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:00,2e,f7,96,b7,9c,e9,10,21,63,e7,12,0c,a8,fc,3b,cc,a5,41,d0,06,
3e,da,39,70,5e,a0,d6,f8,a0,47,6d,b6,48,04,5e,bb,74,47,f7,9d,f2,97,4c,f8,b5,\
"rkeysecu"=hex:92,69,ef,6b,3d,a6,bf,ab,b1,ed,40,64,14,5b,6e,b2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1012)
c:\windows\system32\SHDOCVW.dll
c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
c:\windows\system32\ntshrui.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\devldr32.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-07-18 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 19:43

Pre-Run: 170,904,162,304 bytes free
Post-Run: 170,944,937,984 bytes free

409 --- E O F --- 2009-07-17 08:06
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom