help browser crashes not much time...lol HJT log

thestone86 · Feb 4, 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:07 AM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\HTJ\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = %s - Yahoo! Search Results
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229109443421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229111055687
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6680 bytes

Osiris · Feb 4, 2009

You got some nasties

Remove thes entries

C:\WINDOWS\system32\drivers\svchost.exe

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

Then run Combofix and then SDFIX and post both their logs.

Combofix can be found in my guide.

SDFIX How To Use Sdfix

thestone86 · Feb 4, 2009

ComboFix 09-01-11.04 - Administrator 2009-02-04 12:33:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1502 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-29 00:17 . 2009-01-29 00:17 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-28 13:34 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-28 13:33 . 2009-01-28 13:33 <DIR> d-------- c:\program files\MSBuild
2009-01-28 13:33 . 2009-01-28 13:33 <DIR> d-------- c:\program files\Microsoft Works
2009-01-28 13:30 . 2009-01-28 13:33 <DIR> d-------- c:\windows\SHELLNEW
2009-01-28 13:30 . 2009-01-28 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-28 13:29 . 2009-01-28 13:29 <DIR> dr-h----- C:\MSOCache
2009-01-28 00:13 . 2009-02-04 11:34 5,497 --a------ c:\windows\system32\Config.MPF
2009-01-28 00:12 . 2009-01-29 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-28 00:11 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-28 00:11 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-28 00:11 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-28 00:11 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-28 00:11 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-28 00:11 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-28 00:10 . 2009-01-28 00:11 <DIR> d-------- c:\program files\McAfee.com
2009-01-28 00:10 . 2009-01-31 22:23 <DIR> d-------- c:\program files\McAfee
2009-01-28 00:10 . 2009-01-28 00:11 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-28 00:10 . 2009-01-29 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-26 21:11 . 2009-02-03 09:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-09 23:16 . 2009-01-09 23:16 <DIR> d-------- c:\program files\JoWood
2009-01-08 19:24 . 2009-01-08 19:24 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-08 02:35 . 2009-01-08 02:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Leadertech
2009-01-06 20:24 . 2009-02-04 11:44 <DIR> d-------- C:\HTJ
2009-01-06 20:23 . 2009-01-06 20:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-01-06 19:34 . 2009-01-06 19:34 <DIR> d-------- c:\program files\Lavasoft
2009-01-06 19:34 . 2009-01-06 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 10:49 . 2009-01-21 15:19 2,538 --a------ C:\rollback.ini
2009-01-06 10:14 . 2009-01-06 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-06 10:14 . 2009-01-24 23:24 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-06 10:13 . 2009-01-28 10:00 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-01-06 10:12 . 2009-01-28 00:09 <DIR> d-------- c:\windows\Internet Logs
2009-01-06 00:18 . 2009-01-06 12:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-06 00:18 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-05 12:08 . 2009-01-12 11:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 12:07 . 2009-01-05 12:07 <DIR> d-------- c:\program files\Common Files\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 19:34 --------- d-----w c:\program files\Steam
2009-02-04 19:34 --------- d-----w c:\program files\PeerGuardian2
2009-02-04 19:33 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2009-02-03 21:03 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-02-03 05:41 --------- d-----w c:\program files\Vuze
2009-01-13 17:49 --------- d-----w c:\program files\Logitech
2009-01-07 03:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-05 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 04:23 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM2Nzk0Njh8_
2009-01-04 04:23 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
2008-12-25 09:32 --------- d-----w c:\program files\Photo Viewer
2008-12-24 20:08 --------- d-----w c:\program files\DivX
2008-12-22 18:22 48 --sha-w C:\ftp.bat
2008-12-20 07:36 --------- d-----w c:\program files\AskSearch
2008-12-20 07:36 --------- d-----w c:\program files\AskBarDis
2008-12-20 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-20 07:35 --------- d-----w c:\program files\Common Files\i4j_jres
2008-12-20 07:32 --------- d-----w c:\program files\VideoLAN
2008-12-17 07:03 --------- d-----w c:\program files\AVG
2008-12-16 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-16 21:14 --------- d-----w c:\program files\AGEIA Technologies
2008-12-12 20:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-12 20:04 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-12 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-12 20:04 --------- d-----w c:\documents and settings\Administrator\Application Data\Logitech
2008-12-12 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-12 16:40 --------- d-----w c:\program files\Atheros Communications Inc
2008-12-12 14:59 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 14:55 --------- d-----w c:\program files\VIA
2008-12-12 13:21 --------- d-----w c:\program files\Intel
2008-12-12 12:34 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-08 00:38 84,496 ----a-w c:\windows\system32\KemXML.dll
2008-11-08 00:38 170,512 ----a-w c:\windows\system32\kemutb.dll
2008-11-08 00:38 145,936 ----a-w c:\windows\system32\KemUtil.dll
2008-11-08 00:38 117,264 ----a-w c:\windows\system32\KemWnd.dll
2008-11-08 00:37 301,656 ----a-w c:\windows\system32\BtCoreIf.dll
2002-01-02 04:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_12.46.42.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-20 11:48:03 138,496 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w c:\windows\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w c:\windows\$hf_mig$\KB951748\update\updspapi.dll
+ 2009-01-28 21:34:43 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-28 21:34:44 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-28 21:34:43 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-28 21:34:44 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-28 21:34:44 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-28 21:34:44 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-28 21:34:44 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-28 21:34:44 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-28 21:34:44 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-28 21:34:44 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-28 21:34:44 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-28 21:34:43 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-28 21:30:25 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2009-01-12 19:43:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 17:12:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-12 19:43:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 17:12:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-14 04:41:54 147,968 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
- 2008-04-14 04:42:02 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:46:57 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
- 2008-09-08 10:41:42 333,824 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-04-13 23:50:18 361,344 -c--a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 11:51:12 361,600 -c--a-w c:\windows\system32\dllcache\tcpip.sys
- 2008-04-13 23:30:04 225,664 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
- 2008-04-14 04:41:54 147,968 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2008-04-13 23:50:18 361,344 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\system32\drivers

thestone86 · Feb 4, 2009

ComboFix 09-01-11.04 - Administrator 2009-02-04 12:33:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1502 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-29 00:17 . 2009-01-29 00:17 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-28 13:34 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-28 13:33 . 2009-01-28 13:33 <DIR> d-------- c:\program files\MSBuild
2009-01-28 13:33 . 2009-01-28 13:33 <DIR> d-------- c:\program files\Microsoft Works
2009-01-28 13:30 . 2009-01-28 13:33 <DIR> d-------- c:\windows\SHELLNEW
2009-01-28 13:30 . 2009-01-28 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-28 13:29 . 2009-01-28 13:29 <DIR> dr-h----- C:\MSOCache
2009-01-28 00:13 . 2009-02-04 11:34 5,497 --a------ c:\windows\system32\Config.MPF
2009-01-28 00:12 . 2009-01-29 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-28 00:11 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-28 00:11 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-28 00:11 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-28 00:11 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-28 00:11 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-28 00:11 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-28 00:10 . 2009-01-28 00:11 <DIR> d-------- c:\program files\McAfee.com
2009-01-28 00:10 . 2009-01-31 22:23 <DIR> d-------- c:\program files\McAfee
2009-01-28 00:10 . 2009-01-28 00:11 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-28 00:10 . 2009-01-29 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-26 21:11 . 2009-02-03 09:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-09 23:16 . 2009-01-09 23:16 <DIR> d-------- c:\program files\JoWood
2009-01-08 19:24 . 2009-01-08 19:24 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-08 02:35 . 2009-01-08 02:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Leadertech
2009-01-06 20:24 . 2009-02-04 11:44 <DIR> d-------- C:\HTJ
2009-01-06 20:23 . 2009-01-06 20:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-01-06 19:34 . 2009-01-06 19:34 <DIR> d-------- c:\program files\Lavasoft
2009-01-06 19:34 . 2009-01-06 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 10:49 . 2009-01-21 15:19 2,538 --a------ C:\rollback.ini
2009-01-06 10:14 . 2009-01-06 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-06 10:14 . 2009-01-24 23:24 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-06 10:13 . 2009-01-28 10:00 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-01-06 10:12 . 2009-01-28 00:09 <DIR> d-------- c:\windows\Internet Logs
2009-01-06 00:18 . 2009-01-06 12:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-06 00:18 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-05 12:08 . 2009-01-12 11:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 12:07 . 2009-01-05 12:07 <DIR> d-------- c:\program files\Common Files\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 19:34 --------- d-----w c:\program files\Steam
2009-02-04 19:34 --------- d-----w c:\program files\PeerGuardian2
2009-02-04 19:33 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2009-02-03 21:03 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-02-03 05:41 --------- d-----w c:\program files\Vuze
2009-01-13 17:49 --------- d-----w c:\program files\Logitech
2009-01-07 03:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-05 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 04:23 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM2Nzk0Njh8_
2009-01-04 04:23 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
2008-12-25 09:32 --------- d-----w c:\program files\Photo Viewer
2008-12-24 20:08 --------- d-----w c:\program files\DivX
2008-12-22 18:22 48 --sha-w C:\ftp.bat
2008-12-20 07:36 --------- d-----w c:\program files\AskSearch
2008-12-20 07:36 --------- d-----w c:\program files\AskBarDis
2008-12-20 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-20 07:35 --------- d-----w c:\program files\Common Files\i4j_jres
2008-12-20 07:32 --------- d-----w c:\program files\VideoLAN
2008-12-17 07:03 --------- d-----w c:\program files\AVG
2008-12-16 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-16 21:14 --------- d-----w c:\program files\AGEIA Technologies
2008-12-12 20:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-12 20:04 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-12 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-12 20:04 --------- d-----w c:\documents and settings\Administrator\Application Data\Logitech
2008-12-12 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-12 16:40 --------- d-----w c:\program files\Atheros Communications Inc
2008-12-12 14:59 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 14:55 --------- d-----w c:\program files\VIA
2008-12-12 13:21 --------- d-----w c:\program files\Intel
2008-12-12 12:34 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-08 00:38 84,496 ----a-w c:\windows\system32\KemXML.dll
2008-11-08 00:38 170,512 ----a-w c:\windows\system32\kemutb.dll
2008-11-08 00:38 145,936 ----a-w c:\windows\system32\KemUtil.dll
2008-11-08 00:38 117,264 ----a-w c:\windows\system32\KemWnd.dll
2008-11-08 00:37 301,656 ----a-w c:\windows\system32\BtCoreIf.dll
2002-01-02 04:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_12.46.42.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-20 11:48:03 138,496 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w c:\windows\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w c:\windows\$hf_mig$\KB951748\update\updspapi.dll
+ 2009-01-28 21:34:43 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-28 21:34:44 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-28 21:34:43 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-28 21:34:44 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-28 21:34:44 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-28 21:34:44 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-28 21:34:44 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-28 21:34:44 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-28 21:34:44 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-28 21:34:44 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-28 21:34:44 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-28 21:34:43 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-28 21:30:25 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2009-01-12 19:43:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 17:12:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-12 19:43:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 17:12:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-14 04:41:54 147,968 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
- 2008-04-14 04:42:02 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:46:57 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
- 2008-09-08 10:41:42 333,824 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-04-13 23:50:18 361,344 -c--a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 11:51:12 361,600 -c--a-w c:\windows\system32\dllcache\tcpip.sys
- 2008-04-13 23:30:04 225,664 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
- 2008-04-14 04:41:54 147,968 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2008-04-13 23:50:18 361,344 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2008-04-13 23:30:04 225,664 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2006-10-26 22:10:08 1,190,688 ----a-w c:\windows\system32\FM20.DLL
+ 2006-10-26 22:10:06 33,088 ----a-w c:\windows\system32\FM20ENU.DLL
- 2008-12-12 19:40:09 90,296 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-29 00:22:05 263,024 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2006-10-26 21:45:04 207,360 ----a-w c:\windows\system32\INKED.DLL
- 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2006-07-24 18:50:38 125,744 ----a-w c:\windows\system32\MSSTDFMT.DLL
- 2008-04-14 04:42:02 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2006-07-24 18:50:40 39,728 ----a-w c:\windows\system32\SCP32.DLL
+ 2006-10-27 03:56:16 864,080 ----a-w c:\windows\system32\spool\drivers\w32x86\3\msonpdrv.dll
+ 2006-10-27 03:56:14 67,408 ----a-w c:\windows\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2006-10-27 03:56:16 864,080 ----a-w c:\windows\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2006-10-27 03:56:14 67,408 ----a-w c:\windows\system32\spool\drivers\w32x86\msonpui.dll
+ 2006-10-27 03:56:12 33,104 ----a-w c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
+ 2006-07-24 18:50:40 47,920 ----a-w c:\windows\system32\VBAME.DLL
+ 2006-10-26 21:45:04 293,376 ----a-w c:\windows\system32\WISPTIS.EXE
- 2009-01-12 20:39:39 290,816 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-01-19 22:03:58 2,045,440 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2006-10-26 21:40:34 95,744 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2006-10-26 21:40:36 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2006-10-26 21:40:36 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2006-10-26 21:40:36 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2006-10-26 21:40:36 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2006-10-26 21:40:36 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2006-10-26 21:40:36 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2006-10-26 21:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2006-10-26 21:40:36 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2006-10-26 21:40:36 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2006-10-26 21:40:36 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2006-10-26 21:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2006-10-26 21:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2006-10-26 21:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2006-10-26 21:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2006-10-26 21:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2006-10-26 21:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
.

thestone86 · Feb 4, 2009

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="c:\program files\steam\steam.exe" [2008-12-16 1410296]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-09 29757440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-20 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-20 137752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"realtecss"="c:\documents and settings\Administrator\Application Data\Google\phtrc345015.exe" [2009-02-04 125952]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-12 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-12 809488]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\nnnnKbBq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\thestone86\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=

R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2008-12-12 36224]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-12 10384]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-29 206096]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-12 222976]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-12-19 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-19 234888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a440d0af-c7ea-11dd-8095-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gcfj3guq.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 12:33:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-02-04 12:35:02
ComboFix-quarantined-files.txt 2009-02-04 20:34:59
ComboFix2.txt 2009-01-12 20:47:11

Pre-Run: 94,145,347,584 bytes free
Post-Run: 94,223,183,872 bytes free

290 --- E O F --- 2009-01-15 19:11:20

Osiris · Feb 4, 2009

Now post a hijackthis log

thestone86 · Feb 4, 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:06 PM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HTJ\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = %s - Yahoo! Search Results
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229109443421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229111055687
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6556 bytes

Osiris · Feb 4, 2009

Well the log looks good. I need you to run combofix one more time after you reboot just to make sure that file doesnt come back.

thestone86 · Feb 4, 2009

ComboFix 09-01-11.04 - Administrator 2009-02-04 13:22:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1591 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 12:57 . 2009-02-04 12:57 <DIR> d-------- c:\windows\ERUNT
2009-02-04 12:47 . 2009-02-04 13:04 <DIR> d-------- C:\SDFix
2009-01-29 00:17 . 2009-01-29 00:17 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-28 13:34 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-28 13:33 . 2009-01-28 13:33 <DIR> d-------- c:\program files\MSBuild
2009-01-28 13:33 . 2009-01-28 13:33 <DIR> d-------- c:\program files\Microsoft Works
2009-01-28 13:30 . 2009-01-28 13:33 <DIR> d-------- c:\windows\SHELLNEW
2009-01-28 13:30 . 2009-01-28 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-28 13:29 . 2009-01-28 13:29 <DIR> dr-h----- C:\MSOCache
2009-01-28 00:13 . 2009-02-04 13:04 6,203 --a------ c:\windows\system32\Config.MPF
2009-01-28 00:12 . 2009-01-29 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-28 00:11 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-28 00:11 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-28 00:11 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-28 00:11 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-28 00:11 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-28 00:11 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-28 00:10 . 2009-01-28 00:11 <DIR> d-------- c:\program files\McAfee.com
2009-01-28 00:10 . 2009-01-31 22:23 <DIR> d-------- c:\program files\McAfee
2009-01-28 00:10 . 2009-01-28 00:11 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-28 00:10 . 2009-01-29 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-26 21:11 . 2009-02-03 09:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-09 23:16 . 2009-01-09 23:16 <DIR> d-------- c:\program files\JoWood
2009-01-08 19:24 . 2009-01-08 19:24 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-08 02:35 . 2009-01-08 02:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Leadertech
2009-01-06 20:24 . 2009-02-04 13:07 <DIR> d-------- C:\HTJ
2009-01-06 20:23 . 2009-01-06 20:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-01-06 19:34 . 2009-01-06 19:34 <DIR> d-------- c:\program files\Lavasoft
2009-01-06 19:34 . 2009-01-06 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 10:49 . 2009-01-21 15:19 2,538 --a------ C:\rollback.ini
2009-01-06 10:14 . 2009-01-06 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-06 10:14 . 2009-01-24 23:24 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-06 10:13 . 2009-01-28 10:00 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-01-06 10:12 . 2009-01-28 00:09 <DIR> d-------- c:\windows\Internet Logs
2009-01-06 00:18 . 2009-01-06 12:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-06 00:18 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-05 12:08 . 2009-01-12 11:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 12:07 . 2009-01-05 12:07 <DIR> d-------- c:\program files\Common Files\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 21:05 --------- d-----w c:\program files\PeerGuardian2
2009-02-04 21:04 --------- d-----w c:\program files\Steam
2009-02-04 19:33 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2009-02-03 21:03 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-02-03 05:41 --------- d-----w c:\program files\Vuze
2009-01-13 17:49 --------- d-----w c:\program files\Logitech
2009-01-07 03:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-05 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 04:23 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM2Nzk0Njh8_
2009-01-04 04:23 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
2008-12-25 09:32 --------- d-----w c:\program files\Photo Viewer
2008-12-24 20:08 --------- d-----w c:\program files\DivX
2008-12-22 18:22 48 --sha-w C:\ftp.bat
2008-12-20 07:36 --------- d-----w c:\program files\AskSearch
2008-12-20 07:36 --------- d-----w c:\program files\AskBarDis
2008-12-20 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-20 07:35 --------- d-----w c:\program files\Common Files\i4j_jres
2008-12-20 07:32 --------- d-----w c:\program files\VideoLAN
2008-12-17 07:03 --------- d-----w c:\program files\AVG
2008-12-16 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-16 21:14 --------- d-----w c:\program files\AGEIA Technologies
2008-12-12 20:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-12 20:04 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-12 20:04 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-12 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-12 20:04 --------- d-----w c:\documents and settings\Administrator\Application Data\Logitech
2008-12-12 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-12 16:40 --------- d-----w c:\program files\Atheros Communications Inc
2008-12-12 14:59 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 14:55 --------- d-----w c:\program files\VIA
2008-12-12 13:21 --------- d-----w c:\program files\Intel
2008-12-12 12:34 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-08 00:38 84,496 ----a-w c:\windows\system32\KemXML.dll
2008-11-08 00:38 170,512 ----a-w c:\windows\system32\kemutb.dll
2008-11-08 00:38 145,936 ----a-w c:\windows\system32\KemUtil.dll
2008-11-08 00:38 117,264 ----a-w c:\windows\system32\KemWnd.dll
2008-11-08 00:37 301,656 ----a-w c:\windows\system32\BtCoreIf.dll
2002-01-02 04:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot_2009-02-04_12.34.25.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-04 20:57:49 5,505,024 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-02-04 20:57:49 20,480 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-04 20:57:39 5,505,024 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-02-04 20:57:39 20,480 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-02-04 17:12:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 21:16:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 17:12:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 21:16:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

thestone86 · Feb 4, 2009

not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="c:\program files\steam\steam.exe" [2008-12-16 1410296]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-09 29757440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-20 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-20 137752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"realtecss"="c:\documents and settings\Administrator\Application Data\Google\phtrc345015.exe" [2009-02-04 125952]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-12 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-12 809488]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\nnnnKbBq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\thestone86\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=

R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2008-12-12 36224]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-12 10384]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-29 206096]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-12 222976]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-12-19 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-19 234888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a440d0af-c7ea-11dd-8095-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gcfj3guq.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 13:22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-02-04 13:23:32
ComboFix-quarantined-files.txt 2009-02-04 21:23:29
ComboFix2.txt 2009-02-04 20:35:04
ComboFix3.txt 2009-01-12 20:47:11

Pre-Run: 94,157,475,840 bytes free
Post-Run: 94,145,720,320 bytes free

215 --- E O F --- 2009-01-15 19:11:20

help browser crashes not much time...lol HJT log

thestone86

Baseband Member

Osiris

Golden Master

thestone86

Baseband Member

thestone86

Baseband Member

thestone86

Baseband Member

Osiris

Golden Master

thestone86

Baseband Member

Osiris

Golden Master

thestone86

Baseband Member

thestone86

Baseband Member

Similar threads