Please Check My Log

  1. 07-02-2008  #1
    divad213
    divad213 is offline Junior Member

    Please Check My Log

    Help!My pc suddenly can show hidden files, it always return to the do not show hidden files state.. I tried downloading flashdisinfector and combofix but i cant access the webpage...

    please help me, im currently working on a school project and i dont want to lose any of my files

    thanks in advance


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:46:35 PM, on 2/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
    O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B0D4E3-BF50-4E7A-A2A9-5EB7BFB907FE}: NameServer = 202.78.97.41 210.4.2.61
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

    --
    End of file - 5375 bytes

  3. 07-02-2008  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    I tried downloading flashdisinfector and combofix
    Try downloading such tools to another PC for use on your PC if the following does not help make those downloads possible:


    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    O4 - HKCU\..\Run: [KAVA] C:\WINDOWS\system32\kavo.exe

    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.


    REBOOT.
    Last edited by VopThis; 07-02-2008 at 02:43 PM.
  4. 08-02-2008  #3
    divad213
    divad213 is offline Junior Member
    I already downloaded flash disinfector from another pc it seems to work..
    but i found a new file on my drive c: named kmd.exe is this a threat also?
    here is my new log file of hijackthis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:42:59 PM, on 2/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

    --
    End of file - 4874 bytes

    thanks again. you rock!!
  5. 08-02-2008  #4
    divad213
    divad213 is offline Junior Member
    i still have npkcsvc.exe on this line is it still a threat?

    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

    thanks again
  6. 08-02-2008  #5
    VopThis
    VopThis is offline Senior Member (Canada)
    The main infection that we 'fixed' often has other components that are cleaned by running ComboFix. I need to see that log in order to properly advise you as you still seem to indicate your sense that there is still potential malware on your PC. Also, your use of 'MSCONFIG' could be hiding issues that may need resolving. NOTE: many such disabled items may not be particularly helpful towards a better functioning PC.


    kmd.exe
    This file is often found to be associated with Kazaa and is not normally considered to be an infected file. Any use of such P2P tools increases the risk profile of your PC, however:

    http://www.google.ca/search?hl=en&q=...=Google+Search



    NPKCSVC.EXE is generally classified as safe. It appears to be related to antiviral software by INCA Internet Co., Ltd. and accordingly might be duplicative of your current antivirus tool and a possible source of conflict:

    http://spywarefiles.prevx.com/RRIAFH...KCSVC.EXE.html
  7. 10-02-2008  #6
    divad213
    divad213 is offline Junior Member
    should i delete the kmd.exe???

    Heres the Combo Fix Log file...

    ComboFix 08-02.05.3 - David Sanchez 2008-02-08 21:09:18.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.267 [GMT 8:00]
    Running from: C:\Documents and Settings\David Sanchez\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\kavo.exe
    C:\WINDOWS\system32\kavo0.dll
    C:\WINDOWS\system32\kavo1.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
    .

    2008-02-07 20:45 . 2008-02-07 20:45 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-03 11:39 . 2004-08-04 09:07 13 --a------ C:\WINDOWS\system32\WINSPOOL.CRC
    2008-01-27 12:26 . 2008-01-27 12:26 <DIR> d-------- C:\Program Files\MegauploadToolbar
    2008-01-27 12:26 . 2008-02-07 21:03 <DIR> d-------- C:\Documents and Settings\David Sanchez\Application Data\MegauploadToolbar
    2008-01-27 02:53 . 2008-01-27 02:53 <DIR> d-------- C:\Program Files\BearShare Applications
    2008-01-27 02:53 . 2008-01-27 12:21 <DIR> d-------- C:\Documents and Settings\David Sanchez\Application Data\BearShare
    2008-01-27 02:53 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
    2008-01-27 02:08 . 2008-01-27 02:08 <DIR> d-------- C:\Program Files\iriver
    2008-01-25 02:32 . 2008-01-25 02:32 <DIR> d-------- C:\Documents and Settings\David Sanchez\DoctorWeb
    2008-01-13 09:24 . 2008-01-13 09:24 <DIR> d-------- C:\WINDOWS\FreeStyle Online
    2008-01-13 09:24 . 2008-02-03 16:30 <DIR> d-------- C:\Program Files\FreeStyle Online
    2008-01-12 11:18 . 2008-01-12 11:18 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-01-12 11:18 . 2008-01-12 11:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-02-07 16:10 --------- d-----w C:\Program Files\Warcraft III
    2008-02-07 13:02 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-31 12:19 --------- d-----w C:\Documents and Settings\David Sanchez\Application Data\Business Logic
    2008-01-21 00:14 --------- d-----w C:\Program Files\Google
    2008-01-20 16:07 --------- d-----w C:\Program Files\PopCap Games
    2008-01-10 14:44 --------- d-----w C:\Program Files\Pivot Stickfigure Animator
    2008-01-06 15:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-30 09:11 --------- d-----w C:\Program Files\Eidos
    2007-12-30 07:55 --------- d-----w C:\Program Files\Mystery Case Files - Prime Suspects
    2007-12-19 13:08 --------- d-----w C:\Program Files\Common Files\AnimeVamp
    2007-12-15 12:55 --------- d-----w C:\Program Files\SourceTec
    2007-12-15 12:55 --------- d-----w C:\Program Files\Common Files\SourceTec
    2007-12-14 02:03 --------- d-----w C:\Program Files\TrendyFlash Site Builder
    2007-12-10 00:58 --------- d-----w C:\Program Files\BFG
    2007-12-08 12:35 --------- d--h--w C:\Program Files\Zero G Registry
    2007-12-08 12:34 --------- d-----w C:\Program Files\Siemens
    2007-12-08 12:33 --------- d-----w C:\Program Files\mIRC
    2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-11-17 17:19 802,816 ----a-w C:\WINDOWS\feedingfrenzy.scr
    2007-11-17 17:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2007-07-12 13:57 108,330 ----a-w C:\Documents and Settings\All Users\Application Data\firstlsp.reg.dat
    2004-10-01 07:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
    2004-07-22 02:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
    2004-07-19 14:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
    2004-07-19 14:53 976,020 ----a-w C:\Program Files\BDAXP.cab
    2004-07-09 06:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
    2004-07-09 01:13 703,080 ----a-w C:\Program Files\BDA.cab
    2004-07-09 01:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
    2004-07-08 20:08 472,576 ----a-w C:\Program Files\dxsetup.exe
    2004-07-08 20:08 2,242,560 ----a-w C:\Program Files\dsetup32.dll
    2004-07-08 19:03 62,976 ----a-w C:\Program Files\DSETUP.dll
    2004-08-03 22:56 202,474 --sha-r C:\WINDOWS\system32\mveo.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:07 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 21:00 79224]
    "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2006-10-22 12:22 86016]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-28 02:11 180269]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

    C:\Documents and Settings\David Sanchez\Start Menu\Programs\Startup\
    RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 06:05:02 630784]

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
    "NoBandCustomize"= 0 (0x0)

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
    backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ampli]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BHR]
    C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
    C:\WINDOWS\VM303_STI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 09:07 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
    -r------- 2006-06-28 17:54 49152 C:\WINDOWS\Domino.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    --a------ 2007-01-02 05:34 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    ---hs---- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    --a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoOE]
    C:\Program Files\Seekmo\bin\10.0.406.0\OEAddOn.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoSA]
    C:\Program Files\Seekmo\bin\10.0.406.0\SeekmoSA.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    -r------- 2005-09-23 00:42 90112 C:\WINDOWS\soundman.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2007-04-28 02:11 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap3]
    -r------- 2006-08-30 10:58 49152 C:\WINDOWS\VMSnap3.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2006-11-22 01:38 35328 C:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-07-16 15:17 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    --a------ 2007-03-29 06:10 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "Symantec Core LC"=2 (0x2)
    "ose"=3 (0x3)
    "NVSvc"=2 (0x2)
    "Macromedia Licensing Service"=3 (0x3)
    "IDriverT"=3 (0x3)
    "CLTNetCnService"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "SQLWriter"=3 (0x3)
    "ServiceLayer"=3 (0x3)
    "MSSQL$SQLEXPRESS"=2 (0x2)
    "gusvc"=3 (0x3)
    "GoogleDesktopManager"=3 (0x3)
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)

    R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX3 2.sys [2006-02-23 11:38]
    R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11:39]
    R3 vmfilter303;vmfilter303;C:\WINDOWS\system32\driver s\vmfilter303.sys [2006-04-25 10:57]
    R3 ZSMC303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys [2006-12-01 14:23]
    S4 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6876d310-c5c1-11dc-aec4-0018f31960bb}]
    \Shell\0pen\command - krag.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f5f3caa4-f60a-11db-b57e-ea2a123e6a9b}]
    \Shell\AutoRun\command - E:\SSCVIIHOST.exe
    \Shell\Open\command - E:\SSCVIIHOST.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-01 02:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    ************************************************** ************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-08 21:13:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    Completion time: 2008-02-08 21:14:30
    ComboFix-quarantined-files.txt 2008-02-08 13:14:15
    ComboFix2.txt 2008-01-28 00:52:13


    THANKS
  8. 10-02-2008  #7
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    should i delete the kmd.exe???
    I do not see any indication of Kazaa on your PC. May be best to locate the full file path and submit file for analysis:

    Submit files to VirusTotal

    Go to http://www.virustotal.com/en/indexf.html
    Copy each of the following lines into the white textbox:
    • [Full Path]\kmd.exe
      [Full Path]\krag.exe (possibly C:\Window\krag.exe)
      E:\SSCVIIHOST.exe
    Click Send.
    Please post the results of each scan to this thread.

    If VirusTotal's service load is too high, you can use the following scanner instead:
    http://virusscan.jotti.org

    The following MSCONFIG disabled files are probably also undesirable:
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoOE]
    C:\Program Files\Seekmo\bin\10.0.406.0\OEAddOn.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoSA]
    C:\Program Files\Seekmo\bin\10.0.406.0\SeekmoSA.exe



    You also appear to be using 'Bearshare' which can increase the risk of new malware appearing on your PC. Even screensavers can often be found to be infected. In those situations, you would be well-advised to at least consider strengthening your real-time prevention tools and use either Spy Sweeper or Spyware Doctor, and possibly also run AVG Anti-Spyware (mainly for anti-trojan defensive purposes) in real-time, as well (paid version=realtime). No combination of tools, however, can ever be completely fail-safe for all such possible issues.









    Download SUPERAntiSpyware (SAS) free home version:

    http://www.superantispyware.com/supe...freevspro.html


    Install it and double-click the icon on your desktop to run it:
    • It will ask if you want to update the program definitions, click "Yes",
    • Let it through your firewall!
    • Under "Configuration and Preferences", click the Preferences BUTTON.
    • Click the Scanning Control TAB.
    • Under "Scanner Options" make sure the following and additional items are checked:
      • Close browsers before scanning
      • Scan for tracking cookies (default)
      • Terminate memory threats before quarantining.
      • Ignore System Restore/Volume Information on ME and XP
      • Optional scan item:
        • Scan Alternate Data Streams (OPTIONAL Selection – deeper, trickier infection issues - longer scan).
      • Click the Close button to leave the control center screen.
    • On the main screen, under "Scan for Harmful Software" click Scan your computer.
      • On the left check "C:\Fixed Drive".
      • On the right, under "Complete Scan", choose Perform Complete Scan.
      • Click "Next" to start the scan. Please be patient while it scans your computer.
      • After the scan is complete a summary box will appear. Click "OK".
      • Make sure everything in the white box has a check next to it, then click "Next".
      • It will quarantine what it found and if it asks if you want to reboot, click "Yes".
    • To retrieve the removal information - please do the following:
      • After reboot, double-click the "SUPERAntiSpyware icon" on your desktop.
      • Click "Preferences". Click the Statistics/Logs TAB.
      • Under "Scanner Logs", double-click "SUPERAntiSpyware Scan Log".
      • It will open in your default text editor (such as Notepad/Wordpad).
      • Please highlight everything , then right-click and choose copy.
    • Click close and close again to exit the program.
    • Please paste:
      • The SAS LOG information.
      • A new HijackThis LOG (with any current observations).
+ Reply to Thread
« loss of functions | spyware software »