Pending: help please! - Page 2

Pancake · 03-07-2009

Yes it can run in Safe Mode.

stecojunkie · 03-07-2009

ok, downloading now, will run it later this afternoon andpost up the results.

stecojunkie · 03-07-2009

here is the combifix log:

ComboFix 09-03-06.02 - Steve 2009-03-07 14:19:48.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1762 [GMT 0:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Outdated)
AV: Sunbelt VIPRE *On-access scanning disabled* (Outdated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\1000.exe
c:\windows\system32\init32.exe
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.
2009-03-04 10:33 . 2009-03-04 10:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-04 10:33 . 2009-03-04 10:33 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-03-04 10:33 . 2009-03-04 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-04 10:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-04 10:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-04 10:21 . 2009-03-04 10:21 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2009-03-04 08:21 . 2009-03-04 08:21 0 --a------ c:\windows\system32\SBRC.dat
2009-03-03 19:33 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2009-03-03 19:33 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2009-03-03 19:31 . 2009-03-03 19:31 <DIR> d-------- c:\documents and settings\Steve\Application Data\Sunbelt
2009-03-03 19:28 . 2009-03-03 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2009-03-03 19:26 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2009-03-03 19:25 . 2009-03-03 19:25 <DIR> d-------- c:\program files\Sunbelt Software
2009-02-25 12:24 . 2009-02-25 12:24 <DIR> d-------- c:\program files\uTorrent
2009-02-25 12:24 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\Steve\Application Data\uTorrent
2009-02-21 19:11 . 2009-02-21 19:11 <DIR> d-------- c:\program files\MarkAnyContentSAFER
2009-02-21 18:01 . 2009-02-21 18:01 <DIR> d-------- c:\program files\DIFX
2009-02-21 18:00 . 2008-09-12 09:24 233,472 --a------ c:\windows\system32\FsUsbExService.Exe
2009-02-21 18:00 . 2009-02-21 19:10 110,592 --a------ c:\windows\system32\FsUsbExDevice.Dll
2009-02-21 18:00 . 2009-02-21 19:10 36,608 --a------ c:\windows\system32\FsUsbExDisk.Sys
2009-02-21 17:37 . 2009-02-21 17:37 <DIR> d-------- c:\documents and settings\Steve\Application Data\Samsung
2009-02-21 17:35 . 2009-02-21 17:35 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-02-21 17:35 . 2009-02-21 17:37 <DIR> d-------- c:\program files\Samsung
2009-02-21 17:35 . 2008-02-22 15:33 114,304 --a------ c:\windows\system32\drivers\sscdmdm.sys
2009-02-21 17:35 . 2008-02-22 15:33 87,936 --a------ c:\windows\system32\drivers\sscdbus.sys
2009-02-21 17:35 . 2008-02-22 15:33 14,976 --a------ c:\windows\system32\drivers\sscdmdfl.sys
2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdwhnt.sys
2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdwh.sys
2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdcmnt.sys
2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdcm.sys
2009-02-21 17:35 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-02-11 00:13 . 2009-02-11 00:13 42,320 --a------ c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-03 18:11 --------- d-----w c:\documents and settings\Steve\Application Data\AVG7
2009-03-03 14:47 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-25 12:24 --------- d-----w c:\documents and settings\Steve\Application Data\Azureus
2009-02-21 19:10 5,632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2009-02-21 17:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 15:13 --------- d-----w c:\documents and settings\Steve\Application Data\Xfire
2009-02-15 17:02 --------- d-----w c:\program files\Xfire
2009-02-05 20:48 --------- d-----w c:\documents and settings\Steve\Application Data\iMesh
2009-02-03 20:00 --------- d-----w c:\program files\BF2CC
2009-01-26 12:21 --------- d-----w c:\program files\Microsoft AutoRoute
2009-01-25 12:56 --------- d-----w c:\program files\DivX
2008-12-09 16:36 12,252,907 ------w C:\avg7qt.dat
.
------- Sigcheck -------
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\userinit.exe
2009-03-03 18:56 104960 ee5cade84509b28a687ffed2851dacab c:\windows\system32\userinit.exe
2009-03-03 18:56 104960 ee5cade84509b28a687ffed2851dacab c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"McAfee QuickClean Imonitor"="c:\program files\McAfee\McAfee QuickClean\Plguni.exe" [2005-10-03 106496]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-02-21 98304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent .exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupda te.exe" [2006-01-11 212992]
"McRegWiz"="c:\progra~1\McAfee.com\Agent\McRegWiz. exe" [2005-06-01 368714]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-28 185632]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 495616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-10-04 81920]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-10-10 c:\windows\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-15 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2007-07-13 552960]
SecureDoc.lnk - c:\program files\MSI\SecureDoc\Logon.exe [2008-01-01 82944]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-07-13 17920]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.s ys [2009-03-03 13360]
S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-03-03 202928]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\ FsUsbExService.Exe [2009-02-21 233472]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapif s.sys [2009-03-03 69168]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbE xDisk.Sys [2009-02-21 36608]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm. sys [2006-11-15 634880]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2007-11-17 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-11-17 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-11-17 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-11-17 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2007-11-17 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2007-11-17 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-11-17 90800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2cd3338a-a0f0-11dc-92a7-0014bf767ccb}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{edaed8b6-eace-11dc-ac34-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-NPSStartup - (no file)

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\h63mjyf3.default\
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 14:33:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(208)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
.
************************************************** ************************
.
Completion time: 2009-03-07 14:38:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 14:38:08
Pre-Run: 158,065,909,760 bytes free
Post-Run: 162,586,935,296 bytes free
224 --- E O F --- 2009-02-25 22:19:45

Pancake · 03-07-2009

Thats looking fine and has got rid of some of the more nasty stuff.How are things now.I dont see anymore in the log.

stecojunkie · 03-08-2009

i still cant log on in the normal XP mode, it just logs me straight back out before explorer.exe runs.

in safe mode it is completly normal and fine.

stecojunkie · 03-08-2009

--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(208)
c:\windows\system32\WRLogonNTF.dll

that just caught my eye, anything to do with the problem?

Pancake · 03-08-2009

WRLogonNTF.dllDescription:Used by Webroot Spy Sweeper

03-07-2009	#8
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,867 PC Experience: Elite PC Guru	Re: help please! Yes it can run in Safe Mode. __________________ An Australian Member of and My real name is Eddy

03-07-2009	#9
stecojunkie Bronze Member Join Date: Nov 2007 Location: Worcestershire ,UK Posts: 53 PC Experience: Some Experience	Re: help please! ok, downloading now, will run it later this afternoon andpost up the results.

03-07-2009	#10
stecojunkie Bronze Member Join Date: Nov 2007 Location: Worcestershire ,UK Posts: 53 PC Experience: Some Experience	Re: help please! here is the combifix log: ComboFix 09-03-06.02 - Steve 2009-03-07 14:19:48.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1762 [GMT 0:00] Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe AV: AVG 7.5.557 On-access scanning disabled (Outdated) AV: Sunbelt VIPRE On-access scanning disabled (Outdated) WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\1000.exe c:\windows\system32\init32.exe c:\windows\system32\uniq.tll c:\windows\system32\win32hlp.cnf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 ))))))))))))))))))))))))))))))) . 2009-03-04 10:33 . 2009-03-04 10:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-04 10:33 . 2009-03-04 10:33 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes 2009-03-04 10:33 . 2009-03-04 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-04 10:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-04 10:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-04 10:21 . 2009-03-04 10:21 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot 2009-03-04 08:21 . 2009-03-04 08:21 0 --a------ c:\windows\system32\SBRC.dat 2009-03-03 19:33 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys 2009-03-03 19:33 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys 2009-03-03 19:31 . 2009-03-03 19:31 <DIR> d-------- c:\documents and settings\Steve\Application Data\Sunbelt 2009-03-03 19:28 . 2009-03-03 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt 2009-03-03 19:26 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys 2009-03-03 19:25 . 2009-03-03 19:25 <DIR> d-------- c:\program files\Sunbelt Software 2009-02-25 12:24 . 2009-02-25 12:24 <DIR> d-------- c:\program files\uTorrent 2009-02-25 12:24 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\Steve\Application Data\uTorrent 2009-02-21 19:11 . 2009-02-21 19:11 <DIR> d-------- c:\program files\MarkAnyContentSAFER 2009-02-21 18:01 . 2009-02-21 18:01 <DIR> d-------- c:\program files\DIFX 2009-02-21 18:00 . 2008-09-12 09:24 233,472 --a------ c:\windows\system32\FsUsbExService.Exe 2009-02-21 18:00 . 2009-02-21 19:10 110,592 --a------ c:\windows\system32\FsUsbExDevice.Dll 2009-02-21 18:00 . 2009-02-21 19:10 36,608 --a------ c:\windows\system32\FsUsbExDisk.Sys 2009-02-21 17:37 . 2009-02-21 17:37 <DIR> d-------- c:\documents and settings\Steve\Application Data\Samsung 2009-02-21 17:35 . 2009-02-21 17:35 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers 2009-02-21 17:35 . 2009-02-21 17:37 <DIR> d-------- c:\program files\Samsung 2009-02-21 17:35 . 2008-02-22 15:33 114,304 --a------ c:\windows\system32\drivers\sscdmdm.sys 2009-02-21 17:35 . 2008-02-22 15:33 87,936 --a------ c:\windows\system32\drivers\sscdbus.sys 2009-02-21 17:35 . 2008-02-22 15:33 14,976 --a------ c:\windows\system32\drivers\sscdmdfl.sys 2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdwhnt.sys 2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdwh.sys 2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdcmnt.sys 2009-02-21 17:35 . 2008-02-22 15:33 12,160 --a------ c:\windows\system32\drivers\sscdcm.sys 2009-02-21 17:35 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico 2009-02-11 00:13 . 2009-02-11 00:13 42,320 --a------ c:\windows\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-03-03 18:11 --------- d-----w c:\documents and settings\Steve\Application Data\AVG7 2009-03-03 14:47 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-02-25 12:24 --------- d-----w c:\documents and settings\Steve\Application Data\Azureus 2009-02-21 19:10 5,632 ----a-w c:\windows\system32\drivers\StarOpen.sys 2009-02-21 17:37 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-16 15:13 --------- d-----w c:\documents and settings\Steve\Application Data\Xfire 2009-02-15 17:02 --------- d-----w c:\program files\Xfire 2009-02-05 20:48 --------- d-----w c:\documents and settings\Steve\Application Data\iMesh 2009-02-03 20:00 --------- d-----w c:\program files\BF2CC 2009-01-26 12:21 --------- d-----w c:\program files\Microsoft AutoRoute 2009-01-25 12:56 --------- d-----w c:\program files\DivX 2008-12-09 16:36 12,252,907 ------w C:\avg7qt.dat . ------- Sigcheck ------- 2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\userinit.exe 2009-03-03 18:56 104960 ee5cade84509b28a687ffed2851dacab c:\windows\system32\userinit.exe 2009-03-03 18:56 104960 ee5cade84509b28a687ffed2851dacab c:\windows\system32\dllcache\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264] "McAfee QuickClean Imonitor"="c:\program files\McAfee\McAfee QuickClean\Plguni.exe" [2005-10-03 106496] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968] "AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-02-21 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent .exe" [2005-09-22 303104] "MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupda te.exe" [2006-01-11 212992] "McRegWiz"="c:\progra~1\McAfee.com\Agent\McRegWiz. exe" [2005-06-01 368714] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-28 185632] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 495616] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008] "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-10-04 81920] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848] "SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664] "VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe] "S3Trayp"="S3trayp.exe" [2006-10-10 c:\windows\system32\S3Trayp.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe] "nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-15 219136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048] PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2007-07-13 552960] SecureDoc.lnk - c:\program files\MSI\SecureDoc\Logon.exe [2008-01-01 82944] [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SBAMSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"= "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-07-13 17920] R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056] S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.s ys [2009-03-03 13360] S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-03-03 202928] S2 FsUsbExService;FsUsbExService;c:\windows\system32\ FsUsbExService.Exe [2009-02-21 233472] S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapif s.sys [2009-03-03 69168] S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbE xDisk.Sys [2009-02-21 36608] S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm. sys [2006-11-15 634880] S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464] S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2007-11-17 61536] S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-11-17 9360] S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-11-17 97088] S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-11-17 88624] S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2007-11-17 18704] S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2007-11-17 86432] S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-11-17 90800] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2cd3338a-a0f0-11dc-92a7-0014bf767ccb}] \Shell\Auto\command - F:\Start.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{edaed8b6-eace-11dc-ac34-806d6172696f}] \Shell\AutoRun\command - D:\Autorun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42] . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe HKLM-Run-prunnet - c:\windows\system32\prunnet.exe HKLM-Run-NPSStartup - (no file) . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: antimalwareguard.com Trusted Zone: gomyhit.com Trusted Zone: antimalwareguard.com Trusted Zone: gomyhit.com FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\h63mjyf3.default\ . ************************************************ ******************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-07 14:33:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(208) c:\windows\system32\WRLogonNTF.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Webroot\Spy Sweeper\SpySweeper.exe . ********************************************** ********************** . Completion time: 2009-03-07 14:38:10 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-07 14:38:08 Pre-Run: 158,065,909,760 bytes free Post-Run: 162,586,935,296 bytes free 224 --- E O F --- 2009-02-25 22:19:45

03-07-2009	#11
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,867 PC Experience: Elite PC Guru	Re: help please! Thats looking fine and has got rid of some of the more nasty stuff.How are things now.I dont see anymore in the log. __________________ An Australian Member of and My real name is Eddy

03-08-2009	#12
stecojunkie Bronze Member Join Date: Nov 2007 Location: Worcestershire ,UK Posts: 53 PC Experience: Some Experience	Re: help please! i still cant log on in the normal XP mode, it just logs me straight back out before explorer.exe runs. in safe mode it is completly normal and fine.

03-08-2009	#13
stecojunkie Bronze Member Join Date: Nov 2007 Location: Worcestershire ,UK Posts: 53 PC Experience: Some Experience	Re: help please! --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(208) c:\windows\system32\WRLogonNTF.dll that just caught my eye, anything to do with the problem?

03-08-2009	#14
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,867 PC Experience: Elite PC Guru	Re: help please! WRLogonNTF.dllDescription:Used by Webroot Spy Sweeper __________________ An Australian Member of and My real name is Eddy

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode