ComputerForum.com ComputerForum.com  

Go Back   Computer Forum > Computer Software > Computer Security
Registery virus (probably) Registery virus (probably)
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 07-01-2009, 07:10 PM   #1 (permalink)
New Member
 
Join Date: Oct 2008
Posts: 22
Default Registery virus (probably)
I've putten a post about registery being denied, malware-antibytes cleaned it, and there wasn't anything on next scan, but it still didin't help, even after restart. So here are the logs.
1. Malware Anti-bytes
Malwarebytes' Anti-Malware 1.38
Database version: 2358
Windows 5.1.2600 Service Pack 3

2009.07.01 19:59:23
mbam-log-2009-07-01 (19-59-23).txt

Scan type: Quick Scan
Objects scanned: 100714
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\onestepsearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\program files\shoppingreport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\program files\shoppingreport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion (Spyware.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\shoppingreport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\home.js (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\onestep.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\readme.html (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\uninstall.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\premieropinion\pmservice.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
2. HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07:56, on 2009.07.01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Software602\Print2PDF\PrnPack.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3 a.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ABBYY Lingvo 12\Lvagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WebMoney Agent\wmagent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
H:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
h:\ElsaWin\bin\LcSvrAdm.exe
h:\ElsaWin\bin\LcSvrDba.exe
h:\ElsaWin\bin\LcSvrHis.exe
h:\ElsaWin\bin\LcSvrPas.exe
h:\ElsaWin\bin\LcSvrSaz.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
h:\ElsaWin\bin\VSgate.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
h:\ElsaWin\bin\LcSvrAuf.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\svchost.exe
G:\avg_free_stf_en_85_386a1586.exe
C:\DOCUME~1\Tadas\LOCALS~1\Temp\7zS5.tmp\avgsetup. exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {2BC712F4-B482-4FD6-B56F-065E19A7B1D5} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Iejimo i Windows Live pagalbos priemone - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Program Files\Software602\Print2PDF\PrnPack.exe" /server
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis 3a.exe" /source=HKLM
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 12\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [UpdatePDRShortCut] "G:\PowerDirector\PowerDirector\MUITransfer\MUISta rtMenu.exe" "G:\PowerDirector\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [wmagent.exe] "C:\Program Files\WebMoney Agent\wmagent.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSI ToolBar.lnk = H:\EPC\Toolbar\EPSIBar.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Translate with ABBYY &Lingvo... - res://C:\Program Files\ABBYY Lingvo 12\Lingvo.exe/3000
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.7.109.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - h:\ElsaWin\bin\wiProt.dll
O23 - Service: ABBYY FineReader 9.0 Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - H:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - g:\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: „Google“ atnaujinimo paslauga (gupdate1c9975a28bd7308) (gupdate1c9975a28bd7308) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - h:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - h:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - h:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - h:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - h:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: ELSA APOSpro Server (LcSvrSaz) - Volkswagen AG - h:\ElsaWin\bin\LcSvrSaz.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\system32\spnsrvnt.exe
O23 - Service: ELSA Vaudis Service (VSGate) - Volkswagen AG - h:\ElsaWin\bin\VSgate.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - g:\xampp\service.exe (file missing)

--
End of file - 14718 bytes
nemiux is offline   Reply With Quote


Old 07-01-2009, 11:07 PM   #2 (permalink)
Moderator
 
johnb35's Avatar
 
Join Date: Sep 2005
Location: Near Joliet Illinois
Age: 39
Posts: 3,651
Default
Please run combofix and post the log that it displays at the end back here.

http://www.bleepingcomputer.com/comb...o-use-combofix

Can you tell me what drive you have is labeled as H drive? Flash drive, external drive?
__________________
Motherboard - Gigabyte GA-EP45-UD3R
CPU - E8400
Memory - 2GB Corsair XMS2 (2x 1gb)
Graphics - ATI HD3870
Hard Drives - 250GB Seagate
DVD Drive - Lite-On
DVD Burner - Lite-On
Power Supply - Rosewill RP600V2-S-SL 600W
22" Acer widescreen AL2216WBD
johnb35 is online now   Reply With Quote
Old 07-02-2009, 01:19 PM   #3 (permalink)
New Member
 
Join Date: Oct 2008
Posts: 22
Default
H drive is a hard drive, partition, 199GB, NTFS, here's the combofix log
ComboFix 09-07-01.04 - Tadas 2009.07.02 14:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.2029.1414 [GMT 3:00]
Running from: G:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\Installer\16560c8.msi
c:\windows\system32\mlfcache.dat
H:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-01 17:26 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-01 17:26 . 2009-03-24 13:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-01 17:26 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-01 17:26 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-01 17:26 . 2009-07-01 17:26 -------- d-----w- c:\program files\Avira
2009-07-01 17:26 . 2009-07-01 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-01 17:07 . 2009-07-01 17:07 -------- d-----w- c:\program files\Trend Micro
2009-07-01 11:20 . 2009-07-01 11:20 -------- d-----w- c:\documents and settings\Tadas\Application Data\AVG8
2009-06-29 18:36 . 2009-06-29 18:36 -------- d-----w- c:\program files\VSTplugins
2009-06-29 18:31 . 2009-06-29 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-06-29 18:31 . 2009-06-29 18:31 -------- d-----w- c:\program files\Sony Setup
2009-06-28 20:17 . 2009-06-28 20:17 -------- d-----w- c:\program files\DB Software
2009-06-23 17:35 . 2009-06-23 17:35 -------- d-----w- C:\Bosch
2009-06-21 20:42 . 2009-06-21 20:43 -------- d-----w- c:\documents and settings\Tadas\Application Data\Restorer
2009-06-19 18:35 . 2007-06-04 15:57 62480 ----a-w- c:\windows\system\rbserial.dll
2009-06-19 18:25 . 2004-04-23 09:37 127488 ----a-w- c:\windows\system32\awn32b.dll
2009-06-19 18:25 . 2003-03-19 01:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-06-19 18:25 . 2001-12-19 20:03 36864 ---ha-w- c:\windows\system32\psvince.dll
2009-06-18 14:06 . 2008-05-01 02:28 1654869 ----a-w- c:\documents and settings\All Users\Application Data\DynuEncrypt.dll
2009-06-17 22:45 . 2009-06-17 22:45 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
2009-06-17 21:59 . 2003-02-14 13:31 655360 ----a-w- c:\windows\system32\dslang32.dll
2009-06-17 21:59 . 2000-02-01 12:45 327680 ----a-w- c:\windows\system32\ldf251.dll
2009-06-17 21:58 . 2009-06-17 21:58 -------- d-----w- C:\ESI
2009-06-17 15:32 . 2009-03-12 09:53 483422 ----a-w- c:\windows\sttray.exe
2009-06-17 15:32 . 2009-03-12 09:53 171520 ----a-w- c:\windows\system32\st322000.dll
2009-06-17 14:50 . 2009-06-17 14:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\CyberLink
2009-06-16 23:12 . 2009-06-26 22:52 397312 ----a-w- c:\windows\esi_kl01.dat
2009-06-16 23:12 . 2009-06-26 23:08 -------- d-----w- c:\program files\Common Files\Spielberg DMS
2009-06-16 23:11 . 2005-01-19 12:42 557056 ----a-w- c:\windows\system32\snbd10dm.dll
2009-06-16 23:11 . 2005-01-19 12:42 526336 ----a-w- c:\windows\system32\snbd8w98.dll
2009-06-16 23:11 . 2005-01-19 12:42 86528 ----a-w- c:\windows\system32\Igsncx22.dll
2009-06-13 17:29 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-13 17:29 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-11 17:24 . 2009-06-11 17:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-06-11 16:23 . 2009-06-17 09:54 -------- d-----w- c:\documents and settings\Tadas\Application Data\Xfire
2009-06-11 16:20 . 2008-07-08 07:16 807936 ----a-w- c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\ext ensions\SolidStateION@solidstatenetworks.com\plugi ns\solidnm.exe
2009-06-11 16:20 . 2008-07-08 07:16 122880 ----a-w- c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\ext ensions\SolidStateION@solidstatenetworks.com\plugi ns\npssn.dll
2009-06-10 08:59 . 2009-06-10 08:59 -------- d-----w- c:\program files\PonyProg2000
2009-06-10 08:59 . 2000-06-29 14:24 3584 ----a-w- c:\windows\system32\drivers\DLPORTIO.SYS
2009-06-10 08:59 . 2000-06-29 14:24 34816 ----a-w- c:\windows\system32\DLPORTIO.DLL
2009-06-03 17:53 . 2009-06-03 14:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-03 17:49 . 2009-06-03 17:52 -------- d-----w- c:\windows\vf_hip
2009-06-03 17:49 . 2009-06-03 17:52 -------- d-----w- c:\program files\Hide IP Platinum
2009-06-03 17:44 . 2009-06-03 17:44 -------- d-----w- c:\program files\Hide IP NG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-02 11:15 . 2008-06-13 14:09 -------- d-----w- c:\documents and settings\Tadas\Application Data\Skype
2009-07-02 11:13 . 2008-07-23 16:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-02 11:11 . 2009-04-27 15:33 -------- d-----w- c:\documents and settings\Tadas\Application Data\Free Download Manager
2009-07-02 11:04 . 2008-06-13 14:10 -------- d-----w- c:\documents and settings\Tadas\Application Data\skypePM
2009-07-01 17:23 . 2008-10-26 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 15:05 . 2009-02-25 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-29 21:39 . 2008-08-04 20:24 2432 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-29 18:31 . 2008-08-05 10:27 -------- d-----w- c:\program files\Sony
2009-06-28 18:16 . 2009-01-19 23:18 -------- d-----w- c:\program files\Sprint-Layout50 (Demo)
2009-06-27 21:20 . 2008-06-13 14:54 -------- d-----w- c:\documents and settings\Tadas\Application Data\uTorrent
2009-06-27 18:38 . 2008-06-29 23:40 -------- d-----w- c:\program files\Opera
2009-06-26 17:16 . 2008-07-10 10:45 34 ----a-w- c:\documents and settings\Tadas\jagex_runescape_preferences.dat
2009-06-23 18:24 . 2009-02-28 17:55 26 ----a-w- c:\windows\popcinfo.dat
2009-06-18 19:32 . 2009-01-30 12:44 3532 ----a-w- C:\drmHeader.bin
2009-06-17 15:32 . 2009-02-03 15:12 -------- d-----w- c:\program files\IDT
2009-06-17 15:22 . 2008-06-05 11:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-17 09:02 . 2008-06-09 23:49 93920 ----a-w- c:\documents and settings\Tadas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 13:40 . 2009-04-29 17:00 -------- d-----w- c:\program files\Gunz
2009-06-14 14:58 . 2008-09-17 18:49 -------- d-----w- c:\program files\ABBYY FineReader 9.0
2009-06-11 17:33 . 2009-04-29 17:07 -------- d--h--w- c:\documents and settings\Tadas\Application Data\ijjigame
2009-06-11 17:33 . 2008-09-05 01:32 558552 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PLauncher.exe
2009-06-10 13:39 . 2009-04-30 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-03 17:44 . 2008-06-21 19:32 -------- d-----w- c:\documents and settings\Tadas\Application Data\Hide IP NG
2009-05-31 19:39 . 2009-05-31 19:39 -------- d-----w- c:\program files\Youtube Downloader HD
2009-05-31 19:20 . 2009-05-31 19:20 -------- d-----w- c:\program files\CodeGazer
2009-05-29 12:32 . 2009-05-29 12:32 -------- d-----w- c:\program files\AnalogX
2009-05-29 12:32 . 2009-05-29 12:28 -------- d-----w- c:\program files\ProxyWay
2009-05-29 11:50 . 2009-05-29 11:50 -------- d-----w- c:\documents and settings\Tadas\Application Data\tor
2009-05-25 19:20 . 2008-06-27 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-20 13:45 . 2009-04-27 17:56 -------- d-----w- c:\documents and settings\Tadas\Application Data\GetRightToGo
2009-05-20 12:39 . 2008-06-13 15:39 -------- d-----w- c:\program files\mIRC
2009-05-19 16:41 . 2009-05-19 16:41 -------- d-----w- c:\program files\ProtectDisc Driver Installer
2009-05-19 16:39 . 2009-05-19 16:39 -------- d-----w- c:\program files\ECA
2009-05-19 12:19 . 2008-07-23 17:45 -------- d-----w- c:\program files\Google
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\program files\MProg 3.0a
2009-05-19 10:24 . 2009-05-19 10:22 -------- d-----w- c:\program files\Hpmbcalc
2009-05-19 06:58 . 2009-04-06 17:42 -------- d-----w- c:\program files\Windows Desktop Search
2009-05-15 15:28 . 2009-05-15 14:47 -------- d-----w- c:\program files\RealArcade
2009-05-15 14:51 . 2009-05-15 14:51 -------- d-----w- c:\documents and settings\Tadas\Application Data\iWin
2009-05-13 05:15 . 2008-05-11 08:59 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 17:48 . 2009-04-29 17:03 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-11 20:35 . 2008-09-02 21:59 68 --sh--r- C:\modiog.sys
2009-05-10 11:05 . 2009-05-10 11:04 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-05-10 10:58 . 2009-01-28 21:34 -------- d-----w- c:\documents and settings\Tadas\Application Data\DivX
2009-05-09 18:44 . 2009-05-09 18:44 782795312 ----a-w- c:\documents and settings\Tadas\Application Data\ijjigame\DriftCity_Setup.exe
2009-05-09 18:31 . 2009-05-09 18:31 -------- d-----w- c:\documents and settings\Tadas\Application Data\NPLUTO Corporation
2009-05-07 15:32 . 2008-04-14 04:41 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:05 . 2009-03-18 19:46 1 ----a-w- c:\documents and settings\Tadas\Application Data\OpenOffice.org\3\user\uno_packages\cache\stam p.sys
2009-05-04 22:02 . 2009-03-24 17:33 -------- d-----w- c:\program files\Silca Software
2009-05-04 19:47 . 2008-11-19 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-30 15:28 . 2009-04-30 15:47 480688 ----a-w- c:\documents and settings\Tadas\Application Data\ijjigame\ijjistarter2FxB.exe
2009-04-30 15:26 . 2009-04-30 15:26 52105 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\uninst.exe
2009-04-29 21:18 . 2009-04-29 21:18 2368 ----a-w- c:\windows\system32\SVKP.sys
2009-04-29 17:07 . 2009-04-30 11:13 480688 ----a-w- c:\documents and settings\Tadas\Application Data\ijjigame\ijjistarter2.exe
2009-04-17 12:26 . 2008-04-14 00:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 04:42 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 19:28 . 2008-11-22 21:07 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-01-07 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"PrintPack dispatcher"="c:\program files\Software602\Print2PDF\PrnPack.exe" [2007-11-23 73728]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fp pdis3a.exe" [2007-03-30 503808]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-02 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"Lingvo Launcher"="c:\program files\ABBYY Lingvo 12\Lvagent.exe" [2006-12-13 258048]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-11-27 2169368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"UpdatePDRShortCut"="g:\powerdirector\PowerDirecto r\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"wmagent.exe"="c:\program files\WebMoney Agent\wmagent.exe" [2008-10-01 209376]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-02 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\Tadas\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\disallowrun]
"1"= avnotify.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"g:\\Zaidimai\\Need For Speed Underground 2 [RIP]\\Underground 2 [Caged]\\Underground 2\\speed2.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\mIRC\\uninstall.exe _=C\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"g:\\Zaidimai\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enGB-downloader.exe"=
"g:\\Zaidimai\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enGB-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\zMule\\zmule.exe"=
"g:\\Zaidimai\\World of Warcraft\\Launcher.exe"=
"g:\\Zaidimai\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=
"g:\\Visokie softai\\NRPG RatioMaster.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Gunz\\Gunz.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"g:\\Zaidimai\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCPiablo II
"443:TCP"= 443:TCP:SSL
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)
"20978:TCP"= 20978:TCP:Torrent
"15082:TCP"= 15082:TCP:*isabled:SolidNetworkManager
"15082:UDP"= 15082:UDP:*isabled:SolidNetworkManager

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotc ore3.sys [2008.06.18 02:28 39472]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.s ys [2008.05.11 12:02 143360]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [2007.09.25 00:11 566560]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACED RV11.sys [2008.01.23 11:19 501560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009.07.01 20:26 108289]
R2 COSIDS_TB;COSIDS_TB;h:\progra~1\COSIDS\BIN\TbMux32 .exe [2008.09.05 19:21 165376]
R2 LcSvrAdm;ELSA Administration Service;h:\elsawin\bin\LcSvrAdm.exe [2008.10.30 00:28 147456]
R2 LcSvrDba;ELSA DBA Server;h:\elsawin\bin\LcSvrDba.exe [2008.10.30 00:28 241664]
R2 LcSvrHis;ELSA Historie Server;h:\elsawin\bin\LcSvrHis.exe [2008.10.30 00:28 217088]
R2 LcSvrPAS;ELSA PASS Server;h:\elsawin\bin\LcSvrPas.exe [2008.10.30 00:28 368640]
R2 LcSvrSaz;ELSA APOSpro Server;h:\elsawin\bin\LcSvrSaz.exe [2009.06.15 11:51 249856]
R2 NSHE;Guardant Emulator Driver;c:\windows\system32\drivers\NSHE.SYS [2009.02.11 02:56 97792]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009.04.30 00:18 2368]
R2 VSGate;ELSA Vaudis Service;h:\elsawin\bin\VSGate.exe [2008.10.30 00:28 81920]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;h:\elsawin\bin\LcSvrAuf.exe [2008.10.30 00:28 1306624]
S0 pxark;pxark; [x]
S2 gupdate1c9975a28bd7308;„Google“ atnaujinimo paslauga (gupdate1c9975a28bd7308);c:\program files\Google\Update\GoogleUpdate.exe [2009.02.25 18:03 133104]
S2 XAMPP;XAMPP Service;g:\xampp\service.exe --> g:\xampp\service.exe [?]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [2009.06.10 11:59 3584]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sy s [2006.08.28 23:54 10664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system3 2\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009.01.14 23:00 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009.01.14 23:00 8320]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TpUsb;TpUsb Driver (TpUsb.sys);c:\windows\system32\Drivers\TpUsb.sys --> c:\windows\system32\Drivers\TpUsb.sys [?]
S3 XDva120;XDva120;\??\c:\windows\system32\XDva120.sy s --> c:\windows\system32\XDva120.sys [?]
S3 XDva234;XDva234;\??\c:\windows\system32\XDva234.sy s --> c:\windows\system32\XDva234.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-25 14:08]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 15:03]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 15:03]

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{B4194F27-6ED5-427D-90A3-6E765ADA04B3}.job
- c:\windows\system32\msfeedssync.exe [2008-05-11 01:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2BC712F4-B482-4FD6-B56F-065E19A7B1D5} - (no file)
HKCU-Run-ProxyWay - c:\program files\ProxyWay\proxyway.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.lt/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Translate with ABBYY &Lingvo... - c:\program files\ABBYY Lingvo 12\Lingvo.exe/3000
IE: {{5B7027AD-AA6D-40df-8F56-9560F277D2A5} - {E4ABF418-CB30-470C-BFF7-674AC0FC564F} - c:\program files\Software602\Print2PDF\Print602.dll
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
FF - ProfilePath - c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.lt/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\ext ensions\bkmrksync@nokia.com\components\BkMrkExt.dl l
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\ext ensions\SolidStateION@solidstatenetworks.com\plugi ns\npssn.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-2000478354-1177238915-1004\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{0C0DB6AA-1A4B-39C4-882B-CAD9576C5D32}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abjnaonphncjalmkockjjpccnhglhglfid"=hex:61,61,00, 00
"maknlndcanndkealpbminkjnog"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1957994488-2000478354-1177238915-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:55,af,eb,fb,90,ff,b4,79,03,d4,9d,b9,96,ec ,5c,e7,ad,bf,0a,8e,16,7d,96,
9c,bb,56,30,8b,d6,82,92,3d,45,0b,fe,de,78,5b,f0,15 ,39,5c,c1,64,cf,ab,6f,b1,\
"??"=hex:03,19,76,33,70,8c,2e,19,d1,71,a8,71,bc,15 ,cf,05

[HKEY_LOCAL_MACHINE\software\Classes\.asc\Persisten tHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\program files\ABBYY Lingvo 12\LvHook.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\IntelXPV_v103\WDM\stacsv.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Mozilla Firefox\firefox.exe
.
************************************************** ************************
.
Completion time: 2009-07-02 14:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 11:17

Pre-Run: 6.451.372.032 bytes free
Post-Run: 6.721.200.128 bytes free

362 --- E O F --- 2009-06-13 21:32
nemiux is offline   Reply With Quote
Old 07-02-2009, 07:40 PM   #4 (permalink)
Moderator
 
johnb35's Avatar
 
Join Date: Sep 2005
Location: Near Joliet Illinois
Age: 39
Posts: 3,651
Default
Now I need you to post a fresh hijackthis log. How is your system running now?
__________________
Motherboard - Gigabyte GA-EP45-UD3R
CPU - E8400
Memory - 2GB Corsair XMS2 (2x 1gb)
Graphics - ATI HD3870
Hard Drives - 250GB Seagate
DVD Drive - Lite-On
DVD Burner - Lite-On
Power Supply - Rosewill RP600V2-S-SL 600W
22" Acer widescreen AL2216WBD
johnb35 is online now   Reply With Quote
Old 07-03-2009, 09:53 PM   #5 (permalink)
New Member
 
Join Date: Oct 2008
Posts: 22
Default
WOW
It's fixed, I've posted this problem in general software before, and i did 2 screens, i won't try with avg, cause i have avira now, but winxp manager works, i think it helped me. Thank you
nemiux is offline   Reply With Quote


Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
HELP riddled with Trojans :( Hey it's me Computer Security 35 01-06-2009 12:41 AM
Computer restarting..Hijackthis log TucanSpam Computer Security 4 09-17-2006 02:05 AM
Base 64.dll soccerdude Computer Security 3 09-04-2006 04:16 PM
My Computer is also sick! beergoggles Computer Security 12 02-26-2006 10:51 PM
Computer Problems - A joke Darkomen General Computer Chat 31 10-31-2005 07:37 PM


All times are GMT +1. The time now is 09:06 PM.

Contact Us - Computer Forum - Sitemap - Top

Powered by: vBulletin Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.0 ©2009, Crawlability, Inc.
Copyright © 2002-2009 Computer Forum - Internet Business - Web Design Forum