Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » explorer.exe

[Fixed] Hijackthis! Logs - explorer.exe posted in the Security & Safety forums; Hi guys i'm kinda new to this forum and stuff, but lets get to the main point. I installed sp2 and downloaded a microsoft security update. After that , it ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 3 1 2 3 >
  #1  
Old 06-25-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 16
PC Experience: Some Experience
finalstud - See this Members User comments on their Profile page
Default explorer.exe
Hi guys i'm kinda new to this forum and stuff, but lets get to the main point. I installed sp2 and downloaded a microsoft security update. After that , it told me to reboot my computer and i did. On the next logon, my spybot program (spybot search and destroy) scanned my pc . It doesn't usually do that, but i let it go. Nothing was found and then , a lot of cmd programs pop up randomly and it does that for about 4- 5 secs. They close and then, an error box comes up and says something like, "For security reasons, explorer.exe needs to be shut down." So my desktop is gone and i only see my wallpaper. I try to run explorer.exe thru the task manager, but no go . could it be the microsoft security update ? Oh yea, when i used system restore to revert back to my service pack 1, my explorer.exe worked. I need sp2 because my wireless router is configured to a w psk server. Unfortunately, service pack 1 doesn't support wpa , only wep. heres my hijack this logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:34 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {32213194-4623-4CE9-97FE-2F511021331C} - (no file)
O2 - BHO: (no name) - {3A3C138D-907D-4C8C-9DC4-D277D0554F1B} - C:\WINDOWS\System32\ddcAstsR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F11D5D5-3FB2-4ADD-84AD-D69BC9A5D312} - C:\WINDOWS\System32\ssqOETlK.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {bce0a352-1e2d-0b18-6ed4-a054efc6f32a} - {a23f6cfe-450a-4de6-81b0-d2e1253a0ecb} - C:\WINDOWS\system32\clarggvp.dll
O3 - Toolbar: ??? ??! ??? ?????. - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lphcct2j0e94p] C:\WINDOWS\System32\lphcct2j0e94p.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [b034c368] rundll32.exe "C:\WINDOWS\system32\sdmihhnc.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMb307f0f4] Rundll32.exe "C:\WINDOWS\system32\rknxxfqn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUt il.exe -p
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: ImageShack® - Tstart
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.siren24.co.kr
O15 - Trusted Zone: http://*.siren24.com
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/...8/kdfense8.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DL L
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
O20 - AppInit_DLLs: clarggvp.dll
O20 - Winlogon Notify: ssqOETlK - C:\WINDOWS\SYSTEM32\ssqOETlK.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxci_device - - C:\WINDOWS\System32\lxcicoms.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9172 bytes


Last edited by finalstud; 06-25-2008 at 01:54 AM.
  #2  
Old 06-25-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,608
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: explorer.exe
You picked up some malware....


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

=======================================

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 06-25-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 16
PC Experience: Some Experience
finalstud - See this Members User comments on their Profile page
Default Re: explorer.exe
ok i'll try it out asap. It will take a while to get home, but i'll do it.
  #4  
Old 06-25-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 16
PC Experience: Some Experience
finalstud - See this Members User comments on their Profile page
Default Re: explorer.exe
heres my combo fix log my new hijack log will come in my next post


ComboFix 08-06-20.4 - Sam 2008-06-25 13:02:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.262 [GMT -7:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sam\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb307f0f4.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-24 17:32 . 2008-06-24 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 23:40 . 2008-06-23 23:40 105,984 --a------ C:\WINDOWS\system32\clarggvp.dll
2008-06-23 23:37 . 2008-06-25 12:43 1,729,026 ---hs---- C:\WINDOWS\system32\cnhhimds.ini
2008-06-23 23:37 . 2008-06-23 23:37 81,408 --a------ C:\WINDOWS\system32\sdmihhnc.dll
2008-06-23 23:34 . 2008-06-23 23:34 91,136 --a------ C:\WINDOWS\system32\rknxxfqn.dll
2008-06-23 23:15 . 2008-06-23 23:15 3,800 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-06-23 23:04 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-23 23:02 . 2004-08-04 00:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-06-23 22:56 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-06-23 22:54 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\003412_.tmp
2008-06-23 22:54 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-23 22:50 . 2008-06-23 22:50 <DIR> d-------- C:\WINDOWS\EHome
2008-06-23 22:41 . 2006-06-27 05:40 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
2008-06-23 22:41 . 2006-06-27 05:40 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll
2008-06-23 22:07 . 2008-06-23 22:07 <DIR> d-------- C:\b124b638206a6da228fc
2008-06-23 16:19 . 2008-06-23 16:19 321,536 --a------ C:\WINDOWS\system32\khfCUNHW.dll_old
2008-06-20 12:31 . 2008-06-23 22:00 <DIR> d-------- C:\Perfect World
2008-06-19 21:05 . 2008-06-19 21:05 19,367 --a------ C:\WINDOWS\system32\wbers.dat.dmp
2008-06-17 19:30 . 2008-06-17 19:30 <DIR> d-------- C:\WINDOWS\Logs
2008-06-17 18:59 . 2008-06-17 18:59 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-17 18:59 . 2004-08-03 22:59 423,936 --a------ C:\WINDOWS\system32\html.iec
2008-06-17 18:59 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-06-17 18:59 . 2004-07-17 11:48 66,082 --a------ C:\WINDOWS\system32\c_28603.nls
2008-06-17 18:59 . 2004-07-17 11:36 64,352 --------- C:\WINDOWS\system32\drivers\ativmc20.cod
2008-06-17 18:56 . 2008-06-17 18:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-17 18:51 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002606_.tmp
2008-06-17 17:54 . 2008-06-17 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-16 21:02 . 2008-03-30 06:06 332,672 --a------ C:\WINDOWS\system32\wgatray.exe.bak
2008-06-16 21:02 . 2008-03-30 06:06 200,064 --a------ C:\WINDOWS\system32\wgalogon.dll.bak
2008-06-16 21:02 . 2008-06-16 22:01 41,984 --a------ C:\WINDOWS\mrofinu1044.exe
2008-06-14 21:03 . 1999-04-09 02:14 416,304 --a------ C:\WINDOWS\system32\MPG4C32.DLL
2008-06-14 21:02 . 2008-06-14 21:02 <DIR> d-------- C:\Program Files\ValuSoft
2008-06-11 20:50 . 2008-06-11 20:50 <DIR> d-------- C:\Program Files\KCP
2008-06-11 20:49 . 2008-06-11 20:49 76,431 --a------ C:\WINDOWS\system32\npkcmsvc.exe
2008-06-11 20:45 . 2008-06-11 20:45 <DIR> d-------- C:\WINDOWS\kdefense
2008-06-11 20:45 . 2008-06-11 20:45 766,816 --a------ C:\WINDOWS\system32\kdfinj.dll
2008-06-11 20:45 . 2008-06-11 20:45 640,352 --a------ C:\WINDOWS\system32\kdfmgr.exe
2008-06-11 20:45 . 2008-06-11 20:45 213,075 --a------ C:\WINDOWS\system32\kdfmod.dll
2008-06-11 20:45 . 2008-06-11 20:45 192,512 --a------ C:\WINDOWS\system32\kdfvmgr.exe
2008-06-11 20:45 . 2008-06-11 20:45 77,824 --a------ C:\WINDOWS\system32\kdfapi.dll
2008-06-11 20:45 . 2008-06-11 20:45 53,248 --a------ C:\WINDOWS\system32\Kdfhok.dll
2008-06-11 20:19 . 2008-06-11 20:19 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-06-11 20:17 . 2008-06-11 20:17 <DIR> d-------- C:\Program Files\Microsoft Games
2008-06-02 22:19 . 2008-06-02 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-02 21:35 . 2001-08-23 05:00 21,504 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-06-02 21:34 . 2008-06-02 21:34 <DIR> d-------- C:\Program Files\Comodo
2008-06-02 21:34 . 2008-06-12 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-06-02 21:34 . 2008-03-28 09:17 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-06-02 21:34 . 2008-03-28 09:16 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-06-02 21:34 . 2008-06-25 12:39 9,396 --a------ C:\WINDOWS\BOC426.INI
2008-06-02 21:22 . 2008-06-02 21:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 21:22 . 2008-06-03 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 21:01 . 2008-06-03 07:01 90,838 --a------ C:\WINDOWS\system32\phcct2j0e94p.bmp
2008-06-02 21:01 . 2008-06-03 07:01 52,736 --a------ C:\WINDOWS\system32\blphcct2j0e94p.scr
2008-05-31 20:54 . 2008-06-23 23:14 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Hamachi
2008-05-31 20:49 . 2008-05-31 20:50 <DIR> d-------- C:\Program Files\Hamachi
2008-05-31 20:49 . 2008-05-31 20:49 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-28 16:35 . 2008-05-28 16:35 <DIR> d-------- C:\Program Files\GAMENAO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-25 19:26 --------- d-----w C:\Documents and Settings\Sam\Application Data\Def
2008-06-24 06:22 --------- d-----w C:\Program Files\Lx_cats
2008-06-24 06:09 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9485.sys
2008-06-24 05:07 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-06-24 05:07 --------- d-----w C:\Documents and Settings\Sam\Application Data\uTorrent
2008-06-24 05:07 --------- d-----w C:\Documents and Settings\Sam\Application Data\SystemRequirementsLab
2008-06-24 04:41 --------- d-----w C:\Program Files\Steam
2008-06-22 05:29 --------- d-----w C:\Program Files\Warcraft III
2008-06-17 03:27 --------- d-----w C:\Documents and Settings\Sam\Application Data\DivX
2008-06-16 04:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 01:13 --------- d-----w C:\Program Files\mIRC
2008-06-12 21:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 05:20 --------- d-----w C:\Program Files\Lavasoft
2008-06-03 05:20 --------- d-----w C:\Documents and Settings\Sam\Application Data\Lavasoft
2008-06-03 05:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 22:10 --------- d-----w C:\Program Files\softnyx
2008-05-22 21:55 --------- d-----w C:\Program Files\DAP
2008-05-20 04:08 --------- d--h--w C:\Documents and Settings\Sam\Application Data\ijjigame
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 04:45 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2008-05-14 23:51 --------- d-----w C:\Program Files\RivaTuner v2.09
2008-05-04 23:55 --------- d-----w C:\Documents and Settings\Sam\Application Data\Skype
2008-05-04 16:45 --------- d-----w C:\Program Files\ARES
2008-05-01 00:27 442,368 -c--a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 04:56 --------- d-----w C:\Program Files\uTorrent
2008-04-28 22:50 57,344 ----a-w C:\cc.exe
2008-04-28 22:50 24,576 ----a-w C:\cn.exe
2008-04-28 00:26 --------- d-----w C:\Program Files\AIM6
2008-04-28 00:26 --------- d-----w C:\Program Files\AIM Search
2008-04-28 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-28 00:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-27 07:00 --------- d-----w C:\Documents and Settings\Sam\Application Data\InstallShield
2008-04-25 01:48 --------- d-----w C:\Program Files\Neffy
1997-06-02 12:17 8,192 -c--a-w C:\Program Files\_ISDEL.EXE
2006-05-17 03:00 56 -csha-r C:\WINDOWS\Copy of system32\CB00905B7F.sys
2006-05-17 03:00 56 -csha-r C:\WINDOWS\system32\CB00905B7F.sys
2006-05-17 03:00 1,890 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a23f6cfe-450a-4de6-81b0-d2e1253a0ecb}]
2008-06-23 23:40 105984 --a------ C:\WINDOWS\system32\clarggvp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\ Flash\NPSWF32_FlashUtil.exe" [2007-06-11 13:34 190696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BOC-426"="C:\PROGRA~1\Comodo\CBOClean\BOC426.exe" [2008-04-10 11:08 351480]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X 86\3\LXCItime.dll" [2005-09-08 11:44 73728]
"lphcct2j0e94p"="C:\WINDOWS\System32\lphcct2j0e94p .exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2008-05-02 22:46 13529088]
"b034c368"="C:\WINDOWS\system32\sdmihhnc.dll" [2008-06-23 23:37 81408]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2004-08-04 00:56 158208]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 10:58 2483496]
"BMb307f0f4"="C:\WINDOWS\system32\rknxxfqn.dll " [2008-06-23 23:34 91136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=clarggvp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sam^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Sam\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sam^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Sam\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sam^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=C:\Documents and Settings\Sam\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=C:\WINDOWS\pss\YouTube Uploader.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 13:21 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]
C:\Program Files\AIM\AIM Pro\aimpro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\ARES\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atomowns]
C:\DOCUME~1\Sam\APPLIC~1\PINGPA~1\axisdumb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2005-08-01 05:05 94208 C:\Program Files\Lexmark 7300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D9050]
--a--c--- 2006-03-14 16:52 1585152 C:\Program Files\Belkin\F5D9050\Belkinwcui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-03-18 21:49 51184 C:\Documents and Settings\Sam\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\System32\0106.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-10 22:56 218032 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-09-10 22:56 218032 c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-10 22:56 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcimon.exe]
--a--c--- 2005-09-30 07:47 200704 C:\Program Files\Lexmark 7300 Series\lxcimon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-03 22:31 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 22:32 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 22:32 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--------- 2006-04-26 11:42 2490368 C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 15:30 1271032 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraiPodConverter]
--a--c--- 2006-02-11 07:23 483328 C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.ex e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSoftwareDvdCool]
C:\Documents and Settings\All Users\Application Data\Enc Cash Win Software\Date owns.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"VideoAcceleratorService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"%windir%\\system32\\sessmgr.exe"=

R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 13:33]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-04-14 20:44]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2 mpaa.sys [2001-08-17 13:48]
S3 cheetah1;cheetah1;C:\Documents and Settings\Sam\Desktop\g cheetah\Pidis Hack pack\cheetahengine\cheetah.sys []
S3 Dua1ua1;C:\DOCUME~1\Sam\LOCALS~1\Temp\Rar$EX00.7 51\DualEngine2\DualEngi.sys []
S3 gamecheetah1;gamecheetah1;C:\Documents and Settings\Maple\Desktop\cheetah engine\gamecheetah\gamecheetah.sys []
S3 geebers12;geebers12;C:\Documents and Settings\Sam\Desktop\Blorb\blorbslayerengine\nvid8 88.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Sam\Desktop\engine\IlvMoney1148.sys []
S3 knapizz;knapizz;C:\WINDOWS\knapiz.sys []
S3 lxci_device;lxci_device;C:\WINDOWS\System32\lxcico ms.exe [2005-10-24 05:33]
S3 saruen;saruen;C:\Documents and Settings\Sam\Desktop\SaruenGang\saruen.sys []
S3 sejt1;sejt1;C:\Documents and Settings\Maple\Desktop\AkumaEngine33\AkumaEngine33 \sejt.sys []
S3 XDva026;XDva026;C:\WINDOWS\System32\XDva026.sys []
S3 XDva028;XDva028;C:\WINDOWS\System32\XDva028.sys []
S3 XDva037;XDva037;C:\WINDOWS\System32\XDva037.sys []
S3 XDva076;XDva076;C:\WINDOWS\System32\XDva076.sys []
S3 XDva121;XDva121;C:\WINDOWS\System32\XDva121.sys []
S3 XDva164;XDva164;C:\WINDOWS\System32\XDva164.sys []
S3 zenx1;zenx1;C:\DOCUME~1\Sam\LOCALS~1\Temp\Rar$EX00 .734\ZenxEngine_LATEST\zenx.sys []
S4 VideoAcceleratorService;VideoAcceleratorService;C: \PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-04-14 20:44]

*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 20:00:00 C:\WINDOWS\Tasks\ADAAC77095B97C70.job"
- c:\docume~1\sam\applic~1\pingpa~1\Dentbuildabout.e xe
"2008-06-24 23:01:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 13:04:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-06-25 13:06:36
ComboFix-quarantined-files.txt 2008-06-25 20:06:26
ComboFix2.txt 2008-06-25 19:43:45

Pre-Run: 60,193,939,456 bytes free
Post-Run: 60,181,798,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

294 --- E O F --- 2008-06-24 05:29:42
  #5  
Old 06-25-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 16
PC Experience: Some Experience
finalstud - See this Members User comments on their Profile page
Default Re: explorer.exe
Heres my New hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:29 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {32213194-4623-4CE9-97FE-2F511021331C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F11D5D5-3FB2-4ADD-84AD-D69BC9A5D312} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {bce0a352-1e2d-0b18-6ed4-a054efc6f32a} - {a23f6cfe-450a-4de6-81b0-d2e1253a0ecb} - C:\WINDOWS\system32\clarggvp.dll
O3 - Toolbar: ??? ??! ??? ?????. - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lphcct2j0e94p] C:\WINDOWS\System32\lphcct2j0e94p.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [b034c368] rundll32.exe "C:\WINDOWS\system32\sdmihhnc.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [BMb307f0f4] Rundll32.exe "C:\WINDOWS\system32\rknxxfqn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUt il.exe -p
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: ImageShack® - Tstart
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.siren24.co.kr
O15 - Trusted Zone: http://*.siren24.com
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/...8/kdfense8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: clarggvp.dll
O20 - Winlogon Notify: ssqOETlK - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxci_device - - C:\WINDOWS\System32\lxcicoms.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6817 bytes
  #6  
Old 06-25-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 16
PC Experience: Some Experience
finalstud - See this Members User comments on their Profile page
Default Re: explorer.exe
In safe mode, i cannot even see the extracted files. In safe mode, theres only a black screen and my service pack # on the top and Safe mode texts in the corners. mmm. Cannot access my extracted files and run runthis.bat *edit* nvm. i got runthis.bat to run, but when i load it, it says, "Cannot load VDM IPX/SPX support"


Last edited by finalstud; 06-25-2008 at 11:10 PM.
  #7  
Old 06-25-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,608
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: explorer.exe
I see you are running Teatimer.
I suggest you disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
Disable TeaTimer during Hijackthis Cleanup

Then, Download ResetTeaTimer.bat.
http://downloads.subratam.org/ResetTeaTimer.bat

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

========================

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {32213194-4623-4CE9-97FE-2F511021331C} - (no file)
O2 - BHO: (no name) - {5F11D5D5-3FB2-4ADD-84AD-D69BC9A5D312} - (no file)
O4 - HKLM\..\Run: [lphcct2j0e94p] C:\WINDOWS\System32\lphcct2j0e94p.exe
O4 - HKLM\..\Run: [b034c368] rundll32.exe "C:\WINDOWS\system32\sdmihhnc.dll",b
O4 - HKLM\..\Run: [BMb307f0f4] Rundll32.exe "C:\WINDOWS\system32\rknxxfqn.dll",s
O20 - AppInit_DLLs: clarggvp.dll
O20 - Winlogon Notify: ssqOETlK - C:\WINDOWS\


Reboot....................................

==========================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:


Killall::

File::
C:\WINDOWS\system32\sdmihhnc.dll
C:\WINDOWS\system32\rknxxfqn.dll
C:\WINDOWS\003412_.tmp
C:\WINDOWS\002606_.tmp
C:\WINDOWS\System32\lphcct2j0e94p.exe
C:\WINDOWS\system32\sdmihhnc.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"b034c368"=-
"BMb307f0f4"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
c:\docume~1\sam\applic~1\pingpa~1\Dentbuildabout.e xe

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


__________________
  • An Australian Member of
  • and
My real name is Eddy

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!
Page 1 of 3 1 2 3 >

Bookmarks