Free Malware Removal Forum

by **Stragar** » May 9th, 2008, 8:36 pm

Combofix log

ComboFix 08-05-08.1 - Shane 2008-05-10 10:23:26.1 - NTFSx86
Running from: E:\Documents and Settings\Shane\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Shane\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\hpmbuseg.ini
E:\WINDOWS\system32\modvtmhm.ini
E:\WINDOWS\system32\wjffyovc.ini
E:\WINDOWS\system32\ymxbeakb.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-09 08:04 . 2008-05-09 08:04 <DIR> d-------- E:\Program Files\Trend Micro
2008-05-08 22:47 . 2008-04-14 14:00 2,178,131 --a--c--- E:\WINDOWS\system32\dllcache\shvlres.dll
2008-05-08 22:23 . 2008-05-08 22:30 <DIR> d-------- E:\Program Files\nLite
2008-05-08 17:08 . 2008-05-08 17:08 <DIR> d-------- E:\Deckard
2008-05-07 21:12 . 2008-05-07 21:24 <DIR> d-------- E:\Program Files\Free Download Manager
2008-05-07 18:56 . 2008-05-07 18:56 <DIR> d-------- E:\Program Files\Common Files\Adobe AIR
2008-05-07 18:56 . 2008-05-07 18:56 <DIR> d-------- E:\Program Files\Adobe Media Player
2008-05-07 16:13 . 2008-05-07 16:13 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-05-07 16:13 . 2008-05-07 16:13 1,409 --a------ E:\WINDOWS\QTFont.for
2008-05-03 12:32 . 2008-05-03 12:32 354,560 --a------ E:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-03 12:32 . 2008-04-04 14:51 28,416 --a------ E:\WINDOWS\system32\uxtuneup.dll
2008-05-02 19:03 . 2008-05-08 17:45 <DIR> d-------- E:\WINDOWS\system32\Kaspersky Lab
2008-05-02 18:42 . 2008-05-02 18:42 0 --ah----- E:\Documents and Settings\Shane\NTUSER.DAT_TU_95276.LOG
2008-05-02 18:42 . 2008-05-02 18:42 0 --ah----- E:\Documents and Settings\NetworkService\NTUSER.DAT_TU_28899.LOG
2008-05-02 18:42 . 2008-05-02 18:42 0 --ah----- E:\Documents and Settings\LocalService\NTUSER.DAT_TU_96838.LOG
2008-05-01 19:02 . 2008-05-02 17:48 <DIR> d-------- E:\Program Files\Microsoft Bootvis
2008-04-27 12:16 . 2008-04-27 12:16 <DIR> d-------- E:\Documents and Settings\Shane\dwhelper
2008-04-26 22:24 . 2008-04-26 22:24 85,520 --a------ E:\WINDOWS\system32\drivers\bdfndisf.sys
2008-04-26 22:00 . 2008-04-26 22:26 81,984 --a------ E:\WINDOWS\system32\bdod.bin
2008-04-26 21:58 . 2008-04-26 21:59 <DIR> d-------- E:\Program Files\Common Files\BitDefender
2008-04-23 16:37 . 2008-04-23 16:37 <DIR> d-------- E:\Documents and Settings\Shane\Application Data\AdobeUM
2008-04-23 08:29 . 2008-04-23 08:29 41,296 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-04-22 23:02 . 2008-04-22 23:02 <DIR> d-------- E:\Documents and Settings\Shane\Application Data\vlc
2008-04-22 22:56 . 2008-05-07 22:43 <DIR> d---s---- E:\WINDOWS\Downloaded Program Files
2008-04-19 20:48 . 2008-04-19 20:49 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\WinZip
2008-04-18 10:33 . 2008-04-18 10:33 <DIR> d-------- E:\Program Files\Black Isle
2008-04-17 11:39 . 2008-04-17 11:39 260 --a------ E:\WINDOWS\_delis32.ini
2008-04-16 08:27 . 2008-05-01 00:06 <DIR> d-------- E:\Documents and Settings\Shane\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 00:22 --------- d-----w E:\Documents and Settings\Shane\Application Data\mIRC
2008-05-09 23:50 --------- d-----w E:\Program Files\mIRC
2008-05-08 09:22 --------- d-----w E:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 07:41 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 11:29 --------- d-----w E:\Program Files\LimeWire
2008-05-06 06:37 --------- d-----w E:\Documents and Settings\Shane\Application Data\uTorrent
2008-05-04 11:25 --------- d-----w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-30 12:00 --------- d-----w E:\Program Files\Microsoft Works
2008-04-26 12:39 --------- d-----w E:\Program Files\ESET
2008-04-23 05:27 --------- d-----w E:\Documents and Settings\Shane\Application Data\Orbit
2008-04-18 00:47 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-04-17 14:51 --------- d-----w E:\Program Files\Common Files\Logitech
2008-04-17 01:24 717,296 ----a-w E:\WINDOWS\system32\drivers\sptd.sys
2008-04-09 01:26 --------- d-----w E:\Program Files\iPod
2008-04-09 01:24 --------- d-----w E:\Program Files\QuickTime
2008-04-09 01:22 --------- d-----w E:\Program Files\Apple Software Update
2008-04-09 01:21 --------- d-----w E:\Program Files\Common Files\Apple
2008-04-06 03:50 --------- d-----w E:\Program Files\ACW
2008-04-06 03:12 --------- d-----w E:\Documents and Settings\Shane\Application Data\BitTorrent
2008-03-27 08:18 --------- d-----w E:\Program Files\Messenger Plus! Live
2008-03-27 08:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-27 08:16 --------- d-----w E:\Program Files\Windows Live
2008-03-27 08:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-26 13:55 --------- d-----w E:\Documents and Settings\Shane\Application Data\DivX
2008-03-25 05:14 --------- d-----w E:\Program Files\Unlocker
2008-03-21 06:16 278,984 ----a-w E:\WINDOWS\system32\drivers\atksgt.sys
2008-03-21 06:16 25,416 ----a-w E:\WINDOWS\system32\drivers\lirsgt.sys
2008-03-21 06:00 --------- d-----w E:\Documents and Settings\Shane\Application Data\DAEMON Tools Pro
2008-03-20 21:32 --------- d-----w E:\Documents and Settings\Shane\Application Data\OLYMPUS
2008-03-19 12:20 --------- d-----w E:\Documents and Settings\Shane\Application Data\Nexon
2008-03-11 11:48 --------- d-----w E:\Program Files\Lavasoft
2008-03-07 04:45 2,560 ----a-w E:\WINDOWS\_MSRSTRT.EXE
2004-03-11 03:27 40,960 ----a-w E:\Program Files\Uninstall_CDS.exe
2007-08-28 08:33 23 --sha-w E:\WINDOWS\system32\efdedff_d.dll
2005-09-24 11:06 7,537 -csha-w E:\WINDOWS\system32\rerolpxei.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="E:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 10:34 5724184]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-08 15:00 15360]
"Rainlendar2"="E:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 17:12 1298432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-10-18 16:54 163840]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 00:41 8523776]
"egui"="E:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-01 04:54 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-08 15:00 15360]
"DWQueuedReporting"="E:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="E:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
iexplorer.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= F:\Program Files\Codecs\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"UxTuneUp"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"CiSvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=E:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FirefoxUltimateOptimizer"="F:\My Documents\Game Stuff\firefox-ultimate-optimizer-11\Firefox Ultimate Optimizer.exe"
"MSConfig"=E:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"F:\\Program Files\\Xfire\\xfire.exe"=
"E:\\Program Files\\mIRC\\mirc.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:warcraft 3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{21DB17A7-9EB9-0768-D9C5-22A71AD280F1}]
E:\WINDOWS\system32:svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{21DB17A7-9EB9-0768-D9C5-22A71AD280F1}]
Disabeld
.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 00:30:05 E:\WINDOWS\Tasks\MP Scheduled Scan.job"
- E:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 10:27:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Windows Defender\MsMpEng.exe
E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
E:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe
E:\Program Files\Netropa\Onscreen Display\osd.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-10 10:32:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 00:32:01

Pre-Run: 25,980,502,016 bytes free
Post-Run: 25,865,031,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=OCM2S2
E:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

178 --- E O F --- 2008-05-09 02:50:09

by **Stragar** » May 9th, 2008, 8:37 pm

HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:39 AM, on 10/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
E:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\Program Files\ESET\ESET Smart Security\egui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Rainlendar2\Rainlendar2.exe
E:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] "E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] E:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3399795406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B259B22-BFD7-4D2F-B2FD-3819B8E08CBB}: NameServer = 61.9.194.49,61.9.207.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O20 - Winlogon Notify: AutorunsDisabled - E:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - E:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7058 bytes

by **ndmmxiaomayi** » May 10th, 2008, 1:42 am

Hi,

Does this ring any bell to you?

http://www.soft-central.net/keylog.php

by **Stragar** » May 10th, 2008, 9:16 am

No, that is the first time I have seen that site.

by **ndmmxiaomayi** » May 10th, 2008, 9:30 am

Hi,

You should be aware that there are signs of a commercial keylogging program on your computer.

Because it is impossible for us to establish ownership of the computer whose log you have posted, we are also unable to establish whether the program was installed with the owners permission. There may be legal ramifications with its removal which we are not equipped or trained to deal with. Because of this, we are unable to give directions to remove it from the computer.

If this is a Company machine, and you feel the program was not installed by your company, notify your company's IT department or those responsible for computer security.
If this is a private machine you may wish to take legal advice. Removal, also may need to be done by a suitably qualified professional.

As per my first post to you, you have a backdoor with password stealing capability on your computer. Furthermore, a commercial keylogger is also present. This makes things more complex as we can no longer tell if it has been abused.

A clean install of Windows should help.

by **Stragar** » May 10th, 2008, 9:40 am

Ok, it's just the computer i use to play games and do homework in my room on.

But seems as you have suggested to do it a couple times I will reformat it.

by **ndmmxiaomayi** » May 10th, 2008, 9:55 am

That would be a good choice in my opinion.

Here are some ways to prevent an infection again.

Install an antivirus

Here are 2 free antivirus. Please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition
AntiVir Free Edition

Install a firewall

Here are 4 free firewalls. Please get ONE firewall and install it. Restart the computer for changes to take effect.

Online Armor
Webroot Desktop Firewall --- You need to register before you can download it.
Comodo Personal Firewall
Sunbelt Kerio

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

Go to Start > Control Panel > Automatic Updates
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 6

Open Internet Explorer. Click on Tools > Options.
Click on the Security tab.
Click on the Internet icon.
Click on the Custom Level button.
Under Download signed ActiveX controls, select Prompt.
Under Download unsigned ActiveX controls, select Disable.
Under Initialize and script ActiveX controls not marked as safe, select Disable.
Under Installation of desktop items, select Prompt.
Under Launching programs and files in an IFRAME, select Prompt.
Under Navigate sub-frames across different domains, select Prompt.
Under Allow paste operations via script, select Disable.
Click OK to apply these settings.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Press OK to exit the Internet Properties page.

For a pictorial guide, please refer to this article.

For Internet Explorer 7

If you intend to upgrade to Internet Explorer 7, please read this article to configure Internet Explorer 7 properly.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

You can download SpywareBlaster from Javacool.

If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
SpywareGuard
Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

You can download SpywareGuard from Javacool.

If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.
IE-SPYAD
IE-SPYAD adds over 5000 sites to your Internet Explorer restricted zone so that you will be protected if the website turns out to be a bad one. Sites that are in the restricted zone of Internet Explorer can't have any scripts ran, no downloads and cookies. However, you can still connect to these sites.

You can download IE-SPYAD from Spyware Warrior. Be sure to read the whole website carefully for instructions on usage of IE-SPYAD.
Hosts File
A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

MVPS Hosts File
Bluetack's Hosts File
Bluetack's Host Manager
hpHosts

A tutorial about Hosts File can be found at Malware Removal.
Spybot Search and Destroy
Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from here.

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.
a-squared Free
a-squared Free is also another program for scanning spywares and adwares. It doesn't have preventive features like Spybot Search & Destroy though.

You can download a-squared Free from here.

Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.
SiteHound Toolbar
SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird or Pegasus Mail instead.

Here are some more things to read about:

List of clean and infected download managers
Configuring Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
The Unofficial Cookie FAQ
Securing your home wireless network
80 Super Security Tips
The different classes of security softwares

by **NonSuch** » May 19th, 2008, 8:22 pm

Stragar, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Re: Poison Ivy

Who is online