Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Combofix Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Combofix Log

Unread postby peter424 » November 5th, 2008, 10:46 pm

Hi, I'm a total noob here, so sorry about that. So can I upload my combofix logs here?? Thanks
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm
Advertisement
Register to Remove

Re: Combofix Log

Unread postby Shaba » November 8th, 2008, 5:51 am

Hi peter424

You are not supposed to run tools like ComboFix unsupervised.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Combofix Log

Unread postby peter424 » November 9th, 2008, 2:30 am

Thank you for responding. Didn't know about combofix. Seemed to work OK. Anyway, here is the hijack this logfile. Since then I tried a bunch of stuff and think it just might be possible I cleared up this ZLOB thing I had, but not quite sure.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:38 AM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Download 1\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EPSON PictureMate 2005] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB001" /M "PictureMate 2005"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = D:\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... .2.100.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C0937C2-B7A6-49A6-8322-062F5F8A4F5E}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7344 bytes

Hey, thanks again.
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby Shaba » November 9th, 2008, 5:36 am

Yes log looks pretty fine.

Go to start - run

Type notepad c:\ComboFix.txt and click OK.

Post back contents of opening file, please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Combofix Log

Unread postby peter424 » November 9th, 2008, 6:15 pm

Ok, thanks. Here is the combofix log you requested:

ComboFix 08-11-04.02 - Primary 2008-11-05 20:52:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1552 [GMT -5:00]
Running from: c:\documents and settings\Primary\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Primary\Favorites\SMS TRAP.url
c:\documents and settings\Primary\Start Menu\SMS TRAP.url

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-05 19:15 . 2008-11-05 19:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 19:15 . 2008-11-05 19:15 <DIR> d-------- c:\documents and settings\Primary\Application Data\Malwarebytes
2008-11-05 19:15 . 2008-11-05 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 19:15 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 19:15 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-05 18:06 . 2008-11-05 18:06 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-05 18:06 . 2008-11-05 18:06 <DIR> d-------- c:\documents and settings\Primary\Application Data\SUPERAntiSpyware.com
2008-11-05 18:06 . 2008-11-05 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-05 03:05 . 2008-11-05 03:05 <DIR> d-------- c:\program files\GiPo@Utilities
2008-11-05 03:05 . 2008-11-05 03:05 <DIR> d-------- c:\program files\Common Files\Gibinsoft Shared
2008-11-05 00:06 . 2008-11-05 19:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-02 12:36 . 2008-11-05 18:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-02 11:48 . 2008-11-02 11:48 <DIR> d-------- c:\program files\Lavasoft
2008-11-02 11:48 . 2008-11-02 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-30 22:22 . 2008-10-30 22:22 682,280 --a------ c:\windows\system32\pbsvc.exe
2008-10-25 21:26 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 20:20 . 2008-10-22 20:20 281 --a------ c:\windows\irremote.ini
2008-10-18 22:02 . 2008-10-18 22:02 <DIR> d-------- c:\program files\FrostWire
2008-10-18 22:02 . 2008-10-25 21:43 <DIR> d-------- c:\documents and settings\Primary\Application Data\FrostWire
2008-10-16 23:20 . 2008-10-16 23:20 <DIR> d-------- c:\windows\system32\AGEIA
2008-10-16 23:20 . 2008-10-16 23:20 <DIR> d-------- c:\program files\AGEIA Technologies
2008-10-16 22:58 . 2005-02-04 12:37 131,072 --a------ c:\windows\system32\hcwsched.ocx
2008-10-16 22:58 . 1998-06-25 22:00 89,600 --a------ c:\windows\system32\MSCAL.OCX
2008-10-16 22:58 . 2005-01-12 14:29 69,696 --a------ c:\windows\system32\CHSUITE.OCX
2008-10-16 22:58 . 2005-02-21 13:36 69,632 --a------ c:\windows\system32\hcwsched.dll
2008-10-16 22:58 . 2002-12-27 11:33 65,536 --a------ c:\windows\system32\dmcrypto.dll
2008-10-16 22:58 . 2001-01-12 10:02 53,248 --a------ c:\windows\system32\MDCustomPanels.ocx
2008-10-16 22:57 . 2008-10-16 22:57 <DIR> d-------- c:\windows\system32\hauppauge
2008-10-16 22:57 . 2004-02-23 08:44 236,544 --a------ c:\windows\system32\DivXdec.ax
2008-10-16 22:57 . 2002-10-31 21:32 53,248 --a------ c:\windows\system32\hcwfwrit.ax
2008-10-16 22:57 . 2008-10-16 22:57 3,070 --a------ c:\windows\HCWPNP.INI
2008-10-16 22:20 . 2008-10-16 22:20 <DIR> d-------- C:\MyVideos
2008-10-16 22:20 . 2002-12-17 10:15 77,824 --a------ c:\windows\system32\hcwsplit.ax
2008-10-16 22:20 . 2002-12-18 16:02 69,632 --a------ c:\windows\system32\hcwfread.ax
2008-10-16 21:35 . 2008-10-16 22:58 <DIR> d-------- c:\program files\WinTV
2008-10-16 21:25 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 21:25 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 21:25 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 21:25 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 21:25 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 21:25 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 17:46 . 2008-10-14 17:47 <DIR> d-------- c:\documents and settings\Primary\Application Data\Move Networks
2008-10-07 23:32 . 2008-10-07 23:32 <DIR> d-------- C:\Swsetup
2008-10-07 17:34 . 2008-10-07 17:34 <DIR> d-------- c:\documents and settings\Primary\Application Data\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 01:48 --------- d-----w c:\documents and settings\Primary\Application Data\U3
2008-11-06 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-05 23:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-01 14:15 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-01 14:15 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-10-31 03:23 22,328 ----a-w c:\documents and settings\Primary\Application Data\PnkBstrK.sys
2008-10-31 03:22 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-31 03:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-27 23:00 --------- d-----w c:\program files\Hewlett-Packard
2008-10-04 19:01 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-19 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\win32k.sys
2008-09-12 03:15 4,166 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
2008-09-07 23:39 --------- d-----w c:\documents and settings\Primary\Application Data\SPORE
2008-09-07 23:38 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-07 23:38 --------- d-----w c:\program files\Electronic Arts
2008-09-04 13:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-09-01 14:02 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-09-01 00:52 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-09-01 00:41 81,984 ----a-w c:\windows\system32\bdod.bin
2008-08-29 16:06 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-08-29 12:57 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-08-27 17:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-20 22:35 122,880 ----a-w c:\windows\system32\NVCOSMB.DLL
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-06-29 16:22 66,936 --sha-w c:\windows\dlinfo_0.drv
2008-06-09 07:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060920080610\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-07 1871872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON PictureMate 2005"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE" [2005-02-14 98304]
"Diamondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2008-06-02 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 c:\windows\soundman.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
NkbMonitor.exe.lnk - d:\nikon\PictureProject\NkbMonitor.exe [2006-12-17 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Brother\\BRCDUTL\\BRHL2040\\inthelp.exe"=
"c:\\Program Files\\AvRack\\rtlrack.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\day of defeat source\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\counter-strike source\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\half-life 2 deathmatch\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\half-life deathmatch source\\hl2.exe"=
"d:\\DK2\\DKII.exe"=
"d:\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"d:\\Steam\\steam.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\day of defeat source\\hl2.exe"=
"d:\\Sierra\\FEAR\\FEAR.exe"=
"d:\\Sierra\\FEAR\\FEARMP.exe"=
"d:\\Steam\\SteamApps\\jack1105\\counter-strike source\\hl2.exe"=
"d:\\Steam\\SteamApps\\jack1105\\half-life 2 deathmatch\\hl2.exe"=
"d:\\AIM\\aim.exe"=
"d:\\Sierra\\FEAR\\FEARServer.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\half-life 2\\hl2.exe"=
"d:\\Steam\\SteamApps\\jack1105\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"d:\\Microsoft Games\\Close Combat III\\CC3.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\condition zero\\hl.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\counter-strike source\\hl2.exe"=
"d:\\Starcraft\\StarCraft.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\counter-strike\\hl.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\counter-strike\\hl.exe"=
"d:\\Ubisoft\\Faces of War\\facesofwar.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\source sdk base\\hl2.exe"=
"d:\\Steam\\SteamApps\\jack1105\\source sdk base\\hl2.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\day of defeat\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\3DO\\Heroes3\\Heroes3.EXE"=
"c:\\Program Files\\3DO\\Heroes3\\h3maped.exe"=
"d:\\Steam\\SteamApps\\jack1105\\day of defeat source\\hl2.exe"=
"e:\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"e:\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\team fortress 2\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\day of defeat source beta\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"e:\\Diablo\\diablo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"g:\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"=
"d:\\Steam\\SteamApps\\jack1105\\garrysmod\\hl2.exe"=
"g:\\THQ\\Pandemic Studios\\Full Spectrum Warrior\\Launcher.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"g:\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\DRIVERS\agpkx.sys [2005-05-03 45056]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2006-01-25 472644]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-24 13225]
S0 m5289;m5289;c:\windows\system32\DRIVERS\m5289.sys [ ]
S2 ATIBTCAP;ATI TV Wonder Video Capture;c:\windows\system32\drivers\atibtcap.sys [2002-11-05 58240]
S2 ATIBTXBAR;ATI TV Wonder Video Crossbar;c:\windows\system32\drivers\atibtxbr.sys [2002-11-05 6912]
S2 ATIVTUTW;ATI TV Wonder TV Tuner;c:\windows\system32\drivers\ativtutw.sys [2002-11-05 17664]
S2 ATIVXSTW;ATI TV Wonder Audio Crossbar;c:\windows\system32\drivers\ativxstw.sys [2002-11-05 28416]
S3 AC97ALI;Service for AC'97 Driver (WDM);c:\windows\system32\drivers\ali55wdm.sys [2004-08-27 63488]
S3 lac97inf;lac97inf;c:\docume~1\Primary\LOCALS~1\Temp\lac97inf.sys [ ]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

BHO-{3A303EF6-2598-4D2D-B4DA-DEFA7CD0DC51} - c:\windows\system32\ifsndu.dll
HKLM-Run-HostManager - c:\program files\Common Files\AOL\1147128604\ee\AOLSoftware.exe
Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Primary\Application Data\Mozilla\Firefox\Profiles\jxe0eec4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - d:\itunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 20:54:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 20:54:53
ComboFix-quarantined-files.txt 2008-11-06 01:54:50

Pre-Run: 6,221,721,600 bytes free
Post-Run: 6,251,724,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

237 --- E O F --- 2008-10-26 02:28:12


Boy, I sure would like to know how to read/what to look for in these logs.......
Thanks very much again.
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby Shaba » November 10th, 2008, 5:28 am

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Combofix Log

Unread postby peter424 » November 11th, 2008, 10:55 pm

OK, so here is that hijackthis report:

"Faces of War" (Remove Only)
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
AdwareAlert
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ArcSoft Software Suite
AVG Free 8.0
Axis & Allies
Axis and Allies
Azureus
'Battle of the Bulge' Mod
Battle.net
Bonjour
Brother HL-2040
Brothers In Arms EiB
Call of Duty(R) - World at War(TM) Beta
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
CCleaner (remove only)
ClearType Tuning Control Panel Applet
CoH Desert Map Pack
CoH Invasion Map Pack
CoH Vire Map Pack
Company of Heroes
Company of Heroes - D-Day Coop Map
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Conquest 4.0
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
DAO
Day of Defeat: Source
Day of Defeat: Source Beta
Diablo
DODS Visual Upgrade Pack 1.0
Doom 3
Dungeon Keeper 2
EA Download Manager
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON PictureMate User's Guide
EPSON Printer Software
EuropeInRuins
FEAR
Film Factory
FrostWire 4.17.1
Full Spectrum Warrior
Fusion Pack CS Source
Fusion Pack Source
Garry's Mod
GiPo@MoveOnBoot 1.9.5
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Götterdämmerung Map
Half-Life 2: Episode Two
Hauppauge WinTV Scheduler
Hauppauge WinTV Soft PVR
Hauppauge WinTV2000
Heroes of Might and Magic® III
Highway to the Reich v2.0.70
HijackThis 2.0.2
Hitman Pro 3
Hornet Leader Demo
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
HP Install Network Printer Wizard
iDump v1.1.1
Indeo® Software
iPod To Computer Transfer 3.1
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
KMOD NaW ~ Diagnostic Tool
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Close Combat III
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2000 Professional
Microsoft Office Small Business Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
MSXML 6.0 Parser (KB933579)
Nero Suite
Network Play System (Patching)
NVIDIA Drivers
NVIDIA PhysX v8.09.04
PictureProject
PictureProject In Touch Downloader 1.0
Portal
PunkBuster Services
QuickTime
Razer Diamondback
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Resistance & Liberation (Remove Only)
Risk II
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Sid Meier's Alpha Centauri
Silent Hunter III
SPORE™
SPRITE ADD-ON FOR DODSVU 1.0
Spybot - Search & Destroy
Starcraft
Steam
Steam(TM)
SUPERAntiSpyware Free Edition
Sven Co-op 3.0
System Requirements Lab
TBS WMP Plug-in
The Sims
ULi AC'97 Audio Controller Driver
ULi PCI to AGP Controller Driver
Update 1.04.1 for "Faces of War"
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Ventrilo Client
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows XP Service Pack 3
WinRAR archiver
World in Conflict
ZENcast Organizer
ZoneAlarm

Thank you.
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby Shaba » November 12th, 2008, 5:16 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus
FrostWire 4.17.1


I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Combofix Log

Unread postby peter424 » November 13th, 2008, 9:44 pm

OK, no problem. Uninstalled the programs per your instructions. Here is the new uninstall list.

"Faces of War" (Remove Only)
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
AdwareAlert
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ArcSoft Software Suite
AVG Free 8.0
Axis & Allies
Axis and Allies
'Battle of the Bulge' Mod
Battle.net
Bonjour
Brother HL-2040
Brothers In Arms EiB
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
CCleaner (remove only)
ClearType Tuning Control Panel Applet
CoH Desert Map Pack
CoH Invasion Map Pack
CoH Vire Map Pack
Company of Heroes
Company of Heroes - D-Day Coop Map
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Conquest 4.0
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
DAO
Day of Defeat: Source
Day of Defeat: Source Beta
Diablo
DODS Visual Upgrade Pack 1.0
Doom 3
Dungeon Keeper 2
EA Download Manager
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON PictureMate User's Guide
EPSON Printer Software
EuropeInRuins
FEAR
Film Factory
Full Spectrum Warrior
Fusion Pack CS Source
Fusion Pack Source
Garry's Mod
GiPo@MoveOnBoot 1.9.5
Google Earth
Götterdämmerung Map
Half-Life 2: Episode Two
Hauppauge WinTV Scheduler
Hauppauge WinTV Soft PVR
Hauppauge WinTV2000
Heroes of Might and Magic® III
Highway to the Reich v2.0.70
HijackThis 2.0.2
Hitman Pro 3
Hornet Leader Demo
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
HP Install Network Printer Wizard
iDump v1.1.1
Indeo® Software
iPod To Computer Transfer 3.1
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
KMOD NaW ~ Diagnostic Tool
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Close Combat III
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2000 Professional
Microsoft Office Small Business Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
MSXML 6.0 Parser (KB933579)
Nero Suite
Network Play System (Patching)
NVIDIA Drivers
NVIDIA PhysX v8.09.04
PictureProject
PictureProject In Touch Downloader 1.0
Portal
QuickTime
Razer Diamondback
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Resistance & Liberation (Remove Only)
Risk II
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sid Meier's Alpha Centauri
Silent Hunter III
SPORE™
SPRITE ADD-ON FOR DODSVU 1.0
Spybot - Search & Destroy
Starcraft
Steam
Steam(TM)
SUPERAntiSpyware Free Edition
Sven Co-op 3.0
System Requirements Lab
TBS WMP Plug-in
The Sims
ULi AC'97 Audio Controller Driver
ULi PCI to AGP Controller Driver
Update 1.04.1 for "Faces of War"
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Ventrilo Client
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows XP Service Pack 3
WinRAR archiver
World in Conflict
ZENcast Organizer
ZoneAlarm

Thanks again,
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby Shaba » November 14th, 2008, 5:15 am

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Folder::
c:\program files\FrostWire
c:\documents and settings\Primary\Application Data\FrostWire


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Combofix Log

Unread postby peter424 » November 15th, 2008, 9:07 pm

Hi,
Here is the latest combofix log, per your instructions. It seemed to run just fine , though there were a number of programs that "did not shut down" properly (such as the program for the razr mouse and a few others).

ComboFix 08-11-13.02 - Primary 2008-11-15 19:57:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1423 [GMT -5:00]
Running from: c:\documents and settings\Primary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Primary\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Primary\Application Data\FrostWire
c:\documents and settings\Primary\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\documents and settings\Primary\Application Data\FrostWire\checkandupdate.txt
c:\documents and settings\Primary\Application Data\FrostWire\createtimes.cache
c:\documents and settings\Primary\Application Data\FrostWire\downloads.dat
c:\documents and settings\Primary\Application Data\FrostWire\fileurns.bak
c:\documents and settings\Primary\Application Data\FrostWire\fileurns.cache
c:\documents and settings\Primary\Application Data\FrostWire\filters.props
c:\documents and settings\Primary\Application Data\FrostWire\frostwire.props
c:\documents and settings\Primary\Application Data\FrostWire\gnutella.net
c:\documents and settings\Primary\Application Data\FrostWire\installation.props
c:\documents and settings\Primary\Application Data\FrostWire\intent.props
c:\documents and settings\Primary\Application Data\FrostWire\library.dat
c:\documents and settings\Primary\Application Data\FrostWire\mojito.props
c:\documents and settings\Primary\Application Data\FrostWire\questions.props
c:\documents and settings\Primary\Application Data\FrostWire\responses.cache
c:\documents and settings\Primary\Application Data\FrostWire\simpp.xml
c:\documents and settings\Primary\Application Data\FrostWire\spam.dat
c:\documents and settings\Primary\Application Data\FrostWire\tables.props
c:\documents and settings\Primary\Application Data\FrostWire\themes\frostwirePro_theme.fwtp
c:\documents and settings\Primary\Application Data\FrostWire\themes\frostwirePro_theme\theme.txt
c:\documents and settings\Primary\Application Data\FrostWire\themes\frostwirePro_theme\version.txt
c:\documents and settings\Primary\Application Data\FrostWire\ttrees.cache
c:\documents and settings\Primary\Application Data\FrostWire\ttroot.cache
c:\documents and settings\Primary\Application Data\FrostWire\version.xml
c:\documents and settings\Primary\Application Data\FrostWire\xml\data\audio.sxml2

.
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 18:04 . 2008-11-15 18:04 <DIR> d-------- c:\windows\LastGood
2008-11-13 00:02 . 2008-11-13 00:03 1,393 --a------ c:\windows\imsins.BAK
2008-11-12 22:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 16:46 . 2008-11-10 16:46 <DIR> d-------- c:\windows\AiOTemp
2008-11-10 16:44 . 2008-11-10 16:45 <DIR> d-------- c:\windows\system32\Adobe
2008-11-06 00:59 . 2008-11-15 20:00 3,631,136 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-06 00:59 . 2008-11-15 07:35 47,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-06 00:56 . 2008-11-06 00:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-11-06 00:56 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-11-06 00:56 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-11-06 00:56 . 2008-11-06 00:57 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-11-06 00:55 . 2008-11-06 00:56 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-11-06 00:55 . 2008-11-06 00:55 <DIR> d-------- c:\program files\Zone Labs
2008-11-06 00:55 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-11-06 00:55 . 2008-11-15 18:03 352,918 --a------ c:\windows\system32\vsconfig.xml
2008-11-06 00:52 . 2008-11-15 19:56 <DIR> d-------- c:\windows\Internet Logs
2008-11-06 00:44 . 2008-11-06 00:44 <DIR> d-------- c:\program files\Hitman Pro 3
2008-11-06 00:44 . 2008-11-08 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hitman Pro 3
2008-11-06 00:44 . 2008-11-06 00:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hitman Pro
2008-11-05 19:15 . 2008-11-05 19:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 19:15 . 2008-11-05 19:15 <DIR> d-------- c:\documents and settings\Primary\Application Data\Malwarebytes
2008-11-05 19:15 . 2008-11-05 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 19:15 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 19:15 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-05 18:06 . 2008-11-05 18:06 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-05 18:06 . 2008-11-05 18:06 <DIR> d-------- c:\documents and settings\Primary\Application Data\SUPERAntiSpyware.com
2008-11-05 18:06 . 2008-11-05 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-05 03:05 . 2008-11-05 03:05 <DIR> d-------- c:\program files\GiPo@Utilities
2008-11-05 03:05 . 2008-11-05 03:05 <DIR> d-------- c:\program files\Common Files\Gibinsoft Shared
2008-11-05 00:06 . 2008-11-06 23:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-02 12:36 . 2008-11-07 01:57 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-02 11:48 . 2008-11-02 11:48 <DIR> d-------- c:\program files\Lavasoft
2008-11-02 11:48 . 2008-11-02 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-25 21:26 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 20:20 . 2008-10-22 20:20 281 --a------ c:\windows\irremote.ini
2008-10-16 23:20 . 2008-10-16 23:20 <DIR> d-------- c:\windows\system32\AGEIA
2008-10-16 23:20 . 2008-10-16 23:20 <DIR> d-------- c:\program files\AGEIA Technologies
2008-10-16 22:58 . 2005-02-04 12:37 131,072 --a------ c:\windows\system32\hcwsched.ocx
2008-10-16 22:58 . 1998-06-25 22:00 89,600 --a------ c:\windows\system32\MSCAL.OCX
2008-10-16 22:58 . 2005-01-12 14:29 69,696 --a------ c:\windows\system32\CHSUITE.OCX
2008-10-16 22:58 . 2005-02-21 13:36 69,632 --a------ c:\windows\system32\hcwsched.dll
2008-10-16 22:58 . 2002-12-27 11:33 65,536 --a------ c:\windows\system32\dmcrypto.dll
2008-10-16 22:58 . 2001-01-12 10:02 53,248 --a------ c:\windows\system32\MDCustomPanels.ocx
2008-10-16 22:57 . 2008-10-16 22:57 <DIR> d-------- c:\windows\system32\hauppauge
2008-10-16 22:57 . 2004-02-23 08:44 236,544 --a------ c:\windows\system32\DivXdec.ax
2008-10-16 22:57 . 2002-10-31 21:32 53,248 --a------ c:\windows\system32\hcwfwrit.ax
2008-10-16 22:57 . 2008-10-16 22:57 3,070 --a------ c:\windows\HCWPNP.INI
2008-10-16 22:20 . 2008-10-16 22:20 <DIR> d-------- C:\MyVideos
2008-10-16 22:20 . 2002-12-17 10:15 77,824 --a------ c:\windows\system32\hcwsplit.ax
2008-10-16 22:20 . 2002-12-18 16:02 69,632 --a------ c:\windows\system32\hcwfread.ax
2008-10-16 21:35 . 2008-10-16 22:58 <DIR> d-------- c:\program files\WinTV
2008-10-16 21:25 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 21:25 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 21:25 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 21:25 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 21:25 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 21:25 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 01:38 --------- d-----w c:\program files\Azureus
2008-11-12 13:08 --------- d-----w c:\program files\Google
2008-11-12 03:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 03:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 05:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 03:14 --------- d-----w c:\program files\Bonjour
2008-11-06 03:03 --------- d-----w c:\program files\Brownie
2008-11-06 01:48 --------- d-----w c:\documents and settings\Primary\Application Data\U3
2008-11-05 23:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-31 03:23 22,328 ----a-w c:\documents and settings\Primary\Application Data\PnkBstrK.sys
2008-10-27 23:00 --------- d-----w c:\program files\Hewlett-Packard
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-14 22:47 --------- d-----w c:\documents and settings\Primary\Application Data\Move Networks
2008-10-07 22:34 --------- d-----w c:\documents and settings\Primary\Application Data\SystemRequirementsLab
2008-10-04 19:01 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-19 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\win32k.sys
2008-09-12 03:15 4,166 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-07 23:38 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 13:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-09-01 14:02 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-09-01 00:52 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-09-01 00:41 81,984 ----a-w c:\windows\system32\bdod.bin
2008-08-29 16:06 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-08-29 12:57 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-08-27 17:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-20 22:35 122,880 ----a-w c:\windows\system32\NVCOSMB.DLL
2008-06-29 16:22 66,936 --sha-w c:\windows\dlinfo_0.drv
2008-06-09 07:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060920080610\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-07 1871872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON PictureMate 2005"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE" [2005-02-14 98304]
"Diamondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2008-06-02 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 c:\windows\soundman.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
NkbMonitor.exe.lnk - d:\nikon\PictureProject\NkbMonitor.exe [2006-12-17 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Brother\\BRCDUTL\\BRHL2040\\inthelp.exe"=
"c:\\Program Files\\AvRack\\rtlrack.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\day of defeat source\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\counter-strike source\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\half-life 2 deathmatch\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\half-life deathmatch source\\hl2.exe"=
"d:\\DK2\\DKII.exe"=
"d:\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"d:\\Steam\\steam.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\day of defeat source\\hl2.exe"=
"d:\\Sierra\\FEAR\\FEAR.exe"=
"d:\\Sierra\\FEAR\\FEARMP.exe"=
"d:\\Steam\\SteamApps\\jack1105\\counter-strike source\\hl2.exe"=
"d:\\Steam\\SteamApps\\jack1105\\half-life 2 deathmatch\\hl2.exe"=
"d:\\AIM\\aim.exe"=
"d:\\Sierra\\FEAR\\FEARServer.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\half-life 2\\hl2.exe"=
"d:\\Steam\\SteamApps\\jack1105\\half-life 2\\hl2.exe"=
"d:\\Microsoft Games\\Close Combat III\\CC3.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\condition zero\\hl.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\counter-strike source\\hl2.exe"=
"d:\\Starcraft\\StarCraft.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\counter-strike\\hl.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\counter-strike\\hl.exe"=
"d:\\Ubisoft\\Faces of War\\facesofwar.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\source sdk base\\hl2.exe"=
"d:\\Steam\\SteamApps\\jack1105\\source sdk base\\hl2.exe"=
"d:\\Steam\\SteamApps\\utzzzz\\day of defeat\\hl.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\3DO\\Heroes3\\Heroes3.EXE"=
"c:\\Program Files\\3DO\\Heroes3\\h3maped.exe"=
"d:\\Steam\\SteamApps\\jack1105\\day of defeat source\\hl2.exe"=
"e:\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"e:\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\team fortress 2\\hl2.exe"=
"d:\\Steam\\SteamApps\\plowenfeld@yahoo.com\\day of defeat source beta\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"e:\\Diablo\\diablo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"g:\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"=
"d:\\Steam\\SteamApps\\jack1105\\garrysmod\\hl2.exe"=
"g:\\THQ\\Pandemic Studios\\Full Spectrum Warrior\\Launcher.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\DRIVERS\agpkx.sys [2006-12-14 45056]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2008-10-16 472644]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2007-12-30 13225]
S0 m5289;m5289;c:\windows\system32\DRIVERS\m5289.sys []
S2 ATIBTCAP;ATI TV Wonder Video Capture;c:\windows\system32\drivers\atibtcap.sys [2008-10-02 58240]
S2 ATIBTXBAR;ATI TV Wonder Video Crossbar;c:\windows\system32\drivers\atibtxbr.sys [2008-10-02 6912]
S2 ATIVTUTW;ATI TV Wonder TV Tuner;c:\windows\system32\drivers\ativtutw.sys [2008-10-02 17664]
S2 ATIVXSTW;ATI TV Wonder Audio Crossbar;c:\windows\system32\drivers\ativxstw.sys [2008-10-02 28416]
S3 AC97ALI;Service for AC'97 Driver (WDM);c:\windows\system32\drivers\ali55wdm.sys [2006-05-10 63488]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys []
S3 lac97inf;lac97inf;\??\c:\docume~1\Primary\LOCALS~1\Temp\lac97inf.sys []
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd3381c8-ab81-11dd-8976-003018a7bb96}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 20:00:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-15 20:01:24
ComboFix-quarantined-files.txt 2008-11-16 01:01:21
ComboFix2.txt 2008-11-06 01:54:54

Pre-Run: 6,633,033,728 bytes free
Post-Run: 6,688,206,848 bytes free

268 --- E O F --- 2008-11-13 05:05:45

Thank you again.
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby peter424 » November 15th, 2008, 9:36 pm

Hey,
Just thought I'd let you know, right as I finished posting this last combofix log, the pc bluescreened saying it had to shut down to prevent further damage.....
Don't know if that's relevent, or if I was just supposed to restart myself right after running combofix. Anyway it seems fine after it rebooted itself.
Thank you.
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby Shaba » November 16th, 2008, 6:04 am

Yes that can sometimes happen.

Please post also a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Combofix Log

Unread postby peter424 » November 16th, 2008, 11:22 am

OK, here is another hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:18 AM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Download 1\hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EPSON PictureMate 2005] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB001" /M "PictureMate 2005"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = D:\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... .2.100.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C0937C2-B7A6-49A6-8322-062F5F8A4F5E}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6912 bytes


Thank you.
Peter
peter424
Regular Member
 
Posts: 21
Joined: November 5th, 2008, 4:17 pm

Re: Combofix Log

Unread postby Shaba » November 16th, 2008, 1:02 pm

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 14 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware