I've been hacked-Certain problems

X

xahelp

New Member
Before I detail, here are logs:
Malware:
Malwarebytes' Anti-Malware 1.36
Database version: 2057
Windows 5.1.2600 Service Pack 3

29/04/2009 08:40:07
mbam-log-2009-04-29 (08-40-07).txt

Scan type: Quick Scan
Objects scanned: 88262
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Click to expand...
Trend Micro:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:28:46, on 29/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CmUsbSound] "RunDll32" cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Cm108Sound] "RunDll32" cm108.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49C6C5D7-B3CA-4D14-9A80-E7FC689B1904}: NameServer = 80.179.52.100 80.179.55.100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: Ipusmon - {FABAEA0A-654F-4B80-BF07-2DE87A85FA80} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8082 bytes
Click to expand...
Problem #1:
Seems like the hacker changed something in the registry/hex values of .dlls/etc.-When downloads are completed with my download manager named "IDM", I can't happen to see any of the downloaded files, although they exist, and that I can tell because I can open them with the "Open File" function of IDM. I made anything possible to see if I can change it-Even created a folder and tried to download there certain things, didn't work.

Note:
This isn't exactly a security problem, but seems like this hacker hacked many sites, so I won't be able to register with my ordinary emails [even computerforum.com].

Problem #2: When I always click on files downloaded by uTorrent.exe, the explorer.exe procress is automatically closed and restarted. How to solve that?

Problem #3: Seems like the hacker won't leave me alone-There are always new spywares and viruses, which are of the same type (keyloggers, hijacks...).

Note 2: I do know one thing about all of that-I had an account which costs money, something like 6 USD per mounth. With this account, I could download many T.V. Japanese shows. I'm more than sure that he has planned to hack this account and made sure I won't be able to report, but I am lucky to be able to create even more Gmail accounts. Seems like it is easy for this hacker to hack MD5 encryption, but he won't be able to do decrypt any AES-256 signals.
 
You may want to grab Superantispyware as well if you are continually having recurrences...and you aren't downloading and continuing to open/use illegal torrents. It sounds like your repeat infections are due to malicious files that you downloaded.

To make sure you are completely rid of any bug, format your hard drive and re-install a fresh OS. AND - don't keep downloading illegal torrents. ;)

...you get what you pay for...
 
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply i will need:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Response

Ok, I've done the tasks you'd like me to do.
Here are the logs:
ComboFix log:
ComboFix 09-04-29.07 - FMT 04/30/2009 23:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.1534.848 [GMT 3:00]
Running from: c:\user\FMT\LOCALS~1\Temp\IswTmp\DwlRun\ComboFix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Extreme Security Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 18:47 . 2009-04-30 18:50 -------- d-----w c:\user\FMT\Application Data\AVSEdit
2009-04-30 18:47 . 2009-04-30 18:47 108 ----a-w c:\user\FMT\Local Settings\Application Data\fusioncache.dat
2009-04-30 18:47 . 2009-04-30 18:50 -------- d-----w c:\user\FMT\Local Settings\Application Data\ApplicationHistory
2009-04-30 18:47 . 2009-04-30 18:47 -------- d-----w c:\program files\AVSEdit
2009-04-30 18:46 . 2009-04-30 18:46 -------- d-----w c:\windows\system32\URTTEMP
2009-04-30 18:23 . 2009-04-30 18:23 -------- d-----w c:\program files\AviSynth 2.5
2009-04-30 17:06 . 2009-04-30 17:06 -------- d-----w c:\user\FMT\Local Settings\Application Data\Microsoft Help
2009-04-30 16:32 . 2009-04-30 16:32 -------- d--h--r c:\user\ליז\Recent
2009-04-30 16:32 . 2009-04-30 16:32 -------- d--h--r c:\user\ליז\Recent
2009-04-30 03:12 . 2009-04-30 03:12 -------- d--h--r c:\user\רותי\Recent
2009-04-30 03:12 . 2009-04-30 03:12 -------- d--h--r c:\user\רותי\Recent
2009-04-30 00:17 . 2009-04-30 00:17 -------- d-----w c:\user\רותי\Application Data\Malwarebytes
2009-04-29 05:31 . 2009-04-29 05:31 -------- d-----w c:\user\FMT\Application Data\Malwarebytes
2009-04-29 05:31 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 05:31 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 05:31 . 2009-04-29 05:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 05:28 . 2009-04-29 05:28 -------- d-----w c:\program files\Trend Micro
2009-04-25 08:18 . 2009-04-25 08:18 -------- d-----w c:\program files\Common Files\ATI Technologies
2009-04-25 08:18 . 2009-04-25 08:18 -------- d-----w C:\ATI
2009-04-25 07:26 . 2009-04-25 07:26 -------- d-----w c:\user\All Users\Application Data\ATI
2009-04-25 07:26 . 2009-04-25 07:26 -------- d-----w c:\user\FMT\Application Data\ATI
2009-04-25 07:26 . 2009-04-25 07:26 -------- d-----w c:\user\FMT\Local Settings\Application Data\ATI
2009-04-25 07:22 . 2009-02-25 12:15 593920 ------w c:\windows\system32\ati2sgag.exe
2009-04-25 07:21 . 2009-04-25 07:23 -------- d-----w c:\program files\ATI Technologies
2009-04-25 07:20 . 2009-04-25 07:21 -------- d-----w C:\ATI Technologies
2009-04-24 12:19 . 2009-04-29 05:57 -------- d-----w c:\user\FMT\Tracing
2009-04-24 12:16 . 2009-04-25 07:04 -------- d-----w c:\user\FMT\Application Data\DMCache
2009-04-24 11:48 . 2009-04-29 16:24 -------- d-----w c:\user\FMT\Application Data\uTorrent
2009-04-23 06:36 . 2009-04-23 06:36 -------- d-----w c:\user\רותי\Application Data\Sun
2009-04-23 05:49 . 2009-04-23 05:49 -------- d-----w c:\user\FMT\Local Settings\Application Data\Help
2009-04-23 04:34 . 2009-04-30 14:05 -------- d-----w c:\program files\eMule
2009-04-22 14:30 . 2009-04-22 14:30 -------- d-sh--w c:\user\FMT\IECompatCache
2009-04-22 13:34 . 2009-04-22 13:34 -------- d-----w c:\user\FMT\Application Data\TuneUp Software
2009-04-22 13:26 . 2009-04-22 13:26 -------- d-----w c:\user\FMT\Application Data\DivX
2009-04-22 13:26 . 2009-04-22 13:26 -------- d-----w c:\user\FMT\Application Data\Media Player Classic
2009-04-22 13:16 . 2009-04-30 17:44 -------- d-----w c:\user\FMT\Application Data\#ISW.FS#
2009-04-22 13:16 . 2009-04-22 13:16 -------- d-----w c:\user\FMT\Application Data\CheckPoint
2009-04-22 13:16 . 2009-04-22 13:16 -------- d-----w c:\user\FMT\Local Settings\Application Data\Mozilla
2009-04-22 13:15 . 2009-04-22 13:15 -------- d-----w c:\user\FMT\Application Data\MailFrontier
2009-04-22 13:00 . 2008-04-13 17:17 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-22 12:57 . 2009-04-22 12:57 -------- d-----w c:\user\ליז\Application Data\Sunbelt
2009-04-22 12:51 . 2009-04-22 12:51 -------- d-----w c:\user\רותי\Downloads
2009-04-22 12:51 . 2009-04-22 12:51 -------- d-----w c:\user\רותי\Downloads
2009-04-21 17:56 . 2009-04-21 17:56 -------- d-----w c:\user\LocalService\תפריט התחלה
2009-04-21 02:32 . 2009-04-21 02:32 -------- d-----w c:\user\רותי\Application Data\Sunbelt
2009-04-20 23:03 . 2009-04-20 23:03 -------- d-----w c:\user\All Users\Application Data\Sunbelt
2009-04-20 23:03 . 2009-04-20 23:03 -------- d-----w c:\program files\Sunbelt Software
2009-04-20 22:07 . 2009-04-20 22:07 -------- d-----w c:\user\All Users\Application Data\Malwarebytes
2009-04-20 04:39 . 2009-04-20 23:02 12 ----a-w c:\windows\system32\kerukpnp.dll
2009-04-19 21:35 . 2009-04-19 21:35 -------- d-----w c:\program files\MSSOAP
2009-04-19 21:31 . 2009-04-19 21:31 200192 ----a-w c:\windows\system32\polutfax.dll
2009-04-19 21:14 . 2009-04-19 21:14 -------- d-----w c:\program files\Realtek
2009-04-19 21:14 . 2009-03-17 11:58 540672 ----a-w c:\windows\RtlExUpd.dll
2009-04-19 20:03 . 2009-04-19 20:03 -------- d-----w c:\user\ליז\Application Data\#ISW.FS#
2009-04-19 20:03 . 2009-04-19 20:03 -------- d-----w c:\user\ליז\Application Data\CheckPoint
2009-04-19 18:38 . 2009-04-19 18:38 -------- d-----w c:\user\All Users\Application Data\Fighters
2009-04-19 12:26 . 2009-04-19 12:26 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-19 12:26 . 2009-04-19 12:26 -------- d-----w c:\program files\LSoft Technologies Inc
2009-04-18 21:20 . 2009-02-25 22:58 3565568 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2009-04-18 21:20 . 2009-02-25 22:58 3565568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-04-18 21:17 . 2009-04-18 21:17 -------- d-----w c:\user\רותי\Application Data\#ISW.FS#
2009-04-18 21:17 . 2009-04-18 21:17 -------- d-----w c:\user\רותי\Application Data\CheckPoint
2009-04-18 00:31 . 2009-04-30 20:08 46278432 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-18 00:29 . 2009-04-18 00:29 80 ----a-w c:\windows\system32\ibfl.dat
2009-04-18 00:29 . 2009-04-18 00:29 144 ----a-w c:\windows\system32\lkfl.dat
2009-04-18 00:29 . 2009-04-30 16:33 144 ----a-w c:\windows\system32\pdfl.dat
2009-04-18 00:29 . 2009-04-18 00:29 -------- d-----w c:\program files\CheckPoint
2009-04-18 00:29 . 2009-04-18 00:34 4212 ---ha-r c:\windows\system32\zllictbl.dat
2009-04-18 00:29 . 2009-03-31 16:20 72584 ----a-w c:\windows\zllsputility.exe
2009-04-18 00:28 . 2009-03-31 16:20 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-18 00:28 . 2009-04-30 13:24 -------- d-----w c:\windows\system32\ZoneLabs
2009-04-15 05:39 . 2009-04-15 05:39 -------- d-----w c:\user\All Users\Application Data\Blizzard
2009-04-14 19:35 . 2008-10-16 11:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-14 19:35 . 2008-10-16 11:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-14 08:37 . 2001-11-23 10:08 712704 ----a-r c:\windows\system\a3d108pu.dll
2009-04-14 08:37 . 2005-03-07 12:29 45056 ----a-r c:\windows\system32\CM108rm.dll
2009-04-14 08:37 . 2007-07-23 12:17 274432 ----a-r c:\windows\system32\CM108rm.exe
2009-04-14 08:37 . 2006-03-09 15:45 32768 ----a-r c:\windows\system32\c108prop.dll
2009-04-14 08:37 . 2004-04-14 09:28 315392 ----a-r c:\windows\system\fltr108.dll
2009-04-14 08:37 . 2007-07-20 14:56 1312768 ----a-r c:\windows\system32\drivers\CM108.sys
2009-04-14 08:36 . 2007-07-23 13:31 266240 ------r c:\windows\Cmi108Uninstall.exe
2009-04-14 08:36 . 2009-04-14 08:36 -------- d-----w c:\program files\USB PnP Sound Device
2009-04-14 07:53 . 2001-11-23 10:08 712704 ----a-r c:\windows\system\a3d.dll
2009-04-11 00:53 . 2009-04-11 00:53 -------- d-----w c:\program files\MySQL
2009-04-11 00:53 . 2009-04-11 00:53 -------- d-----w c:\user\All Users\Application Data\MySQL
2009-04-11 00:12 . 2009-04-11 00:27 -------- d-----w C:\f46374e49a80ebd43b9f9f4a44
2009-04-10 14:25 . 2009-04-10 14:35 -------- d-----w c:\program files\ICQ6
2009-04-08 22:33 . 2009-04-08 22:33 -------- d-----w c:\program files\uTorrent
2009-04-08 08:03 . 2009-04-08 08:03 -------- d-----w c:\program files\Common Files\LightScribe
2009-04-08 07:49 . 2009-04-08 07:56 -------- d-----w c:\user\All Users\Application Data\LightScribe
2009-04-07 23:15 . 2009-04-07 23:15 -------- d-----w c:\user\All Users\Application Data\AVS4YOU
2009-04-07 22:40 . 2009-04-07 22:40 -------- d-----w c:\program files\Nero
2009-04-07 22:39 . 2009-04-07 23:05 -------- d-----w c:\user\All Users\Application Data\Nero
2009-04-07 17:22 . 2009-03-28 16:34 825344 ----a-w c:\windows\system32\drivers\cmudau.sys
2009-04-07 17:22 . 2009-03-28 16:34 98304 ----a-w c:\windows\system32\cmudau.dll
2009-04-07 17:22 . 2009-03-28 16:34 45056 ----a-w c:\windows\system\cmsnxeye.exe
2009-04-07 17:22 . 2009-03-28 16:34 14848 ----a-w c:\windows\system32\cmpropu.dll
2009-04-07 17:22 . 2009-03-28 16:34 917504 ----a-w c:\windows\system\cmds3du.dll
2009-04-07 17:22 . 2009-03-28 16:34 712704 ----a-w c:\windows\system32\a3dpropu.dll
2009-04-05 22:22 . 2009-04-05 22:22 -------- d-----w c:\user\רותי\Application Data\REAPER
2009-04-05 21:32 . 2009-04-05 21:32 -------- d-----w c:\user\רותי\Application Data\ICQ Toolbar
2009-04-05 21:30 . 2009-04-05 21:30 -------- d-----w c:\user\רותי\Application Data\MailFrontier
2009-04-05 12:16 . 2009-04-05 12:16 -------- d-----w c:\user\ליז\Application Data\MailFrontier
2009-04-05 10:10 . 2009-04-05 10:10 -------- d-----w c:\program files\Zone Labs
2009-04-05 10:10 . 2009-04-30 20:06 -------- d-----w c:\windows\Internet Logs
2009-04-03 18:46 . 2009-04-03 18:46 -------- d-----w c:\user\ליז\Application Data\ICQ Toolbar
2009-04-03 18:36 . 2009-04-03 18:47 -------- d-----w c:\user\ליז\Application Data\ICQ
2009-04-03 18:34 . 2009-04-03 18:34 -------- d-----w c:\user\ליז\Application Data\InstallShield
2009-04-03 17:03 . 2009-04-03 17:03 -------- d-----w c:\user\ליז\Application Data\WinRAR
2009-04-03 16:30 . 2009-04-05 10:09 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-03 16:30 . 2009-04-05 10:09 -------- d-----w c:\user\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-04-03 16:27 . 2009-04-03 16:27 -------- d-----w C:\00000082
2009-04-02 15:51 . 2009-04-02 15:51 -------- d-----w c:\windows\Sun
2009-04-02 15:51 . 2009-04-02 15:50 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-02 15:50 . 2009-04-02 15:50 -------- d-----w c:\program files\Java
2009-04-02 14:48 . 2009-04-02 14:48 -------- d-sh--w c:\user\ליז\IECompatCache
2009-04-02 14:48 . 2009-04-02 14:48 -------- d-sh--w c:\user\ליז\IECompatCache
2009-04-02 13:21 . 2009-04-02 13:22 -------- d-----w c:\user\ליז\Application Data\IDM
2009-04-02 13:21 . 2009-04-14 20:49 -------- d-----w c:\user\ליז\Application Data\DMCache
2009-04-02 09:26 . 2009-04-02 09:26 -------- d-----w c:\user\ליז\Local Settings\Application Data\Mozilla
2009-04-02 09:26 . 2009-04-02 09:26 -------- d-----w c:\user\ליז\Application Data\Mozilla
2009-04-02 09:20 . 2009-04-30 10:47 -------- d-----w c:\user\ליז\Tracing
2009-04-02 09:20 . 2009-04-30 10:47 -------- d-----w c:\user\ליז\Tracing
2009-04-02 08:10 . 2009-04-02 08:10 -------- d-----w c:\user\ליז\Application Data\DivX
2009-04-02 07:44 . 2009-04-02 07:44 -------- d-----w c:\user\ליז\Application Data\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 10:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2009-04-17 22:11 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustChecker"="-s" [X]
"ZAFFRegisterTrustCheckerIE"="-s" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server

S2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-04-17 21136]
S2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2009-04-17 394632]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-03-28 603904]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2009-04-17 54928]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\DRIVERS\tj2knd5.sys [2002-10-14 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\DRIVERS\tj2kunic.sys [2002-10-14 69680]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-07-20 1312768]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28]

2009-04-30 c:\windows\Tasks\User_Feed_Synchronization-{63E1CC2A-4723-4A5B-9792-ECA736C079CD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmUsbSound - cmcnfgu.cpl
HKLM-Run-Cm108Sound - cm108.cpl
SSODL-Ipusmon-{FABAEA0A-654F-4B80-BF07-2DE87A85FA80} - (no file)


.
------- Supplementary Scan -------
.
IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 23:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-884357618-682003330-1002\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"

[HKEY_USERS\S-1-5-21-1644491937-884357618-682003330-1005\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\services.msc"
"File2"="c:\\WINDOWS\\system32\\eventvwr.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1168)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(1448)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(3752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-30 23:10
ComboFix-quarantined-files.txt 2009-04-30 20:10

Pre-Run: 100,394,287,104 bytes free
Post-Run: 100,607,524,864 bytes free

266 --- E O F --- 2009-03-29 05:42
Click to expand...
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12:01, on 30/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1644491937-884357618-682003330-1002\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'ליז')
O4 - HKUS\S-1-5-21-1644491937-884357618-682003330-1002\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent (User 'ליז')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &ייצוא אל Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: שלח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ש&לח אל OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6868 bytes
Click to expand...
Update on the system procressing:
First of all, ComboFix didn't restart my computer even once. It took 4 minutes only.
Second: I'm more than sure that the hacker would make it so I won't feel any significant change. I'm checking right now if one of the problems is fixed. Update: Seems like the explorer.exe ending procress has been fixed. I still need to check what happens with IDM.
 
Last edited:
IDM Behaving

Ok, about IDM:
The same problems still happens, but there is another problem:
The direction which the downloaded file should be in closes the program when the folder is being opened. After re-opening the program, seems like I have never downloaded any file for the program ["auto-deletion"]-Not any completed downloaded will be shown on the downloading list, although the program shouldn't do that automatically but manually only.
 
You must log in or register to reply here.
Back
Top