taskmanager disabled after reboot

Question

Hello, I scanned my computer with several antivirus-software. Most of the originally found viruses seem to be removed, but the taskmanager still is disabled everytime the pc is rebooted. I hope you can help me with this. This is the latest HijackThis log:   Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:30:54, on 16.07.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exeC:\Program Files\CA\eTrust Antivirus\InoRpc.exeC:\Program Files\CA\eTrust Antivirus\InoRT.exeC:\Program Files\CA\eTrust Antivirus\InoTask.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exeC:\Program Files\National Instruments\MAX
imxs.exeC:\WINDOWS\system32
ipalsm.exeC:\Program Files\National Instruments\Shared\Security
idmsrv.exeC:\WINDOWS\system32
isvcloc.exeC:\Program Files\National Instruments\Shared\Tagger	agsrv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32
ipalsm.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\CA\ETRUST~1ealmon.exeC:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exeC:\Program Files\PenScope\PenScope\TPPOLL10.EXEC:\WINDOWS\system32\winds32.exeC:\WINDOWS\System32\msiexec.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aquanetR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.5.0.150:80R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*; 190.100.205.*; O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1ealmon.exe -s O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe O4 - HKLM\..\Run: [TPPOLL10] C:\Program Files\PenScope\PenScope\TPPOLL10.EXE O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\winds32.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O14 - IERESET.INF: START_PAGE_URL=http://aquanet O16 - DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} (MxPEG_ActiveX Control) - http://10.5.1.96/cgi-bin/MxPEG_ActiveX.cab?dummy=9343383 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164960987482 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = glamox.local O17 - HKLM\Software\..\Telephony: DomainName = glamox.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = glamox.local O23 - Service: FLIR Camera Monitor (CameraMonitor) - FLIR Systems - C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX
imxs.exe O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32
ipalsm.exe O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32
ipalsm.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security
idmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32
ipalsm.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32
isvcloc.exe O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe --End of file - 5783 bytes

aM- · Answer

try download this software

http://www.ognizer.net/downloads/Ultimate%20Washer/uw2rc2.zip

this software will fix Missing Task Manager, Folder Options, Registry Editor, Run, Search & Command Prompt.

After download, unzip thats and run it.

To fix your problem, click Registry's tab and click at button Repair Registry.

aqua08 · Answer

mh.. that didn´t really work. the tool only enables the taskmanager (what I had tried before in the registry) temporarily. after reboot it is disabled again.... another idea?

bamajim · Answer

aqua08

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

aqua08 · Answer

ehm... this is a long log.... ?         ComboFix 08-07-14.2 - Administrator 2008-07-16 15:29:33.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.568 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Desktop\combofix\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!. ADS - svchost.exe: deleted 24064 bytes in 1 streams. (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))). C:\Documents and Settings\Administrator\Application Data\Install.datC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datC:\Documents and Settings\brlabor4\Application Data\install.datC:\WINDOWS\msserv.configC:\WINDOWS\msserv.exeC:\WINDOWSegedit.comC:\WINDOWS\system32\~.exeC:\WINDOWS\system32\11422561741.dllC:\WINDOWS\system32\70534.exeC:\WINDOWS\system32\dflgh8jkd2q1.exeC:\WINDOWS\system32\dflgh8jkd2q2.exeC:\WINDOWS\system32\dflgh8jkd2q5.exeC:\WINDOWS\system32\dflgh8jkd2q6.exeC:\WINDOWS\system32\dflgh8jkd2q7.exeC:\WINDOWS\system32\dflgh8jkd2q8.exeC:\WINDOWS\system32\Dll.dllC:\WINDOWS\system32\drivers\Khye57.sysC:\WINDOWS\system32\drivers\Winxe38.sysC:\WINDOWS\system32\icqmlib.exeC:\WINDOWS\system32\iepref32.dllC:\WINDOWS\system32\ierplc.dllC:\WINDOWS\system32\ips.dllC:\WINDOWS\system32\KernelDrv.exeC:\WINDOWS\system32\ksvcl.dllC:\WINDOWS\system32\lanmandrv.sysC:\WINDOWS\system32\lanmanwrk.exeC:\WINDOWS\system32\laprxy.dllexeC:\WINDOWS\system32\maxpaynow1.exeC:\WINDOWS\system32\maxpaynowti1.exeC:\WINDOWS\system32\msdefender.exeC:\WINDOWS\system32\ocxapi.dllC:\WINDOWS\system32\ocxloader.exeC:\WINDOWS\system32\qmopt.dllC:\WINDOWS\system32	askmgr.comC:\WINDOWS\system32\vedxg3am1et3.exeC:\WINDOWS\system32\WinCtrl32.dl_C:\WINDOWS\system32\WinCtrl32.dllC:\WINDOWS\system32\winds32.exe ----- BITS: Possible infected sites ----- hxxp://debremsus01.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))). -------\Legacy_CCEVTSVC-------\Legacy_FCI-------\Legacy_KHYE57-------\Legacy_LANMANDRV-------\Legacy_WINXE38-------\Service_Khye57-------\Service_Winxe38 (((((((((((((((((((((((((   Files Created from 2008-06-16 to 2008-07-16  ))))))))))))))))))))))))))))))). 2008-07-16 13:43 . 2008-07-16 13:43 36,352 --a------ C:\WINDOWS\system32\drivers\843lozjc.exe2008-07-16 13:33 . 2008-07-16 13:33   d-------- C:\WINDOWS\msapps 2008-07-16 13:13 . 2008-07-16 13:41 34,468 --a------ C:\WINDOWS\system32\kcopt.dll 2008-07-16 12:47 . 2008-07-16 12:47 29 --a------ C:\WINDOWS\system32\opurerdp.tmp 2008-07-16 12:46 . 2008-07-16 12:46 15,360 --a------ C:\WINDOWS\system32\wpx33.cpx 2008-07-16 12:46 . 2008-07-16 12:46 0 --a------ C:\12.tmp 2008-07-16 12:43 . 2008-07-16 12:43   d-------- C:\Program Files\Lavasoft 2008-07-16 12:40 . 2008-07-16 12:41   d-------- C:\Program Files\ClearProg 2008-07-16 12:23 . 2008-07-16 12:23   d-------- C:\Program Files\MSXML 4.0 2008-07-16 12:04 . 2004-08-04 14:00 119,808 --a--c--- C:\WINDOWS\system32\dllcache\winmine.exe 2008-07-16 12:04 . 2004-08-04 14:00 113,222 --a--c--- C:\WINDOWS\system32\dllcache\zoneclim.dll 2008-07-16 12:04 . 2004-08-04 14:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-07-16 12:04 . 2004-08-04 14:00 41,029 --a--c--- C:\WINDOWS\system32\dllcache\zcorem.dll 2008-07-16 12:04 . 2004-08-04 14:00 36,937 --a--c--- C:\WINDOWS\system32\dllcache\zclientm.exe 2008-07-16 12:04 . 2004-08-04 14:00 29,760 --a--c--- C:\WINDOWS\system32\dllcache\znetm.dll 2008-07-16 12:04 . 2004-08-04 14:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2008-07-16 12:04 . 2004-08-04 14:00 13,894 --a--c--- C:\WINDOWS\system32\dllcache\zonelibm.dll 2008-07-16 12:04 . 2004-08-04 14:00 4,677 --a--c--- C:\WINDOWS\system32\dllcache\zeeverm.dll 2008-07-16 12:02 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-07-16 12:01 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-07-16 12:00 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll 2008-07-16 11:58 . 2004-08-04 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
wc.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
cpa.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-07-16 10:04 . 2008-07-16 10:04 23,484 --a------ C:\WINDOWS\Microsoft Outlook.FAV 2008-07-16 09:48 . 2008-02-12 14:59 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll 2008-07-16 09:48 . 2008-02-12 02:48 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll 2008-07-16 09:39 . 2008-02-12 03:13 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys 2008-07-16 09:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\ 003374_.tmp 2008-07-16 08:14 . 2008-07-16 08:14   d-------- C:\Program Files\Trend Micro 2008-07-16 07:53 . 2008-07-16 08:30   d-------- C:\HJT 2008-07-16 07:42 . 2008-07-16 07:43   d-------- C:\Desktop 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\zts2.exe 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\system32\vcmgcd32.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\system32\iifgfgf.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWSundll16.exe 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWSundl132.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\logo1_.exe 2008-07-16 07:05 . 2008-07-16 12:43   d-------- C:\Documents and Settings\brlabor4\Application Data\Lavasoft 2008-07-16 07:05 . 2008-07-16 13:42   d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-07-15 16:08 . 2008-07-16 07:05   d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-15 13:16 . 2008-07-15 13:16 0 --a------ C:\23990098.$$$ 2008-07-15 11:17 . 2008-07-15 11:42 26 --a------ C:\WINDOWS\Lic.xxx 2008-07-15 11:16 . 2008-07-15 13:52   d-------- C:\Temp\AVCBack 2008-07-15 11:16 . 2004-08-04 01:56 146,432 --a------ C:\WINDOWS\R.COM 2008-07-15 11:16 . 2004-08-04 01:56 135,680 --a------ C:\WINDOWS\system32\T.COM 2008-07-15 11:09 . 2008-07-15 11:09   d-------- C:\Temp\F-Secure 2008-07-15 11:03 . 2008-07-15 11:03 300 --a------ C:\WINDOWS\wininit.ini 2008-07-15 10:33 . 2008-07-16 07:08   d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-14 08:41 . 2008-07-15 13:52   d-------- C:\Temp\gis63c50 2008-07-10 16:39 . 2008-07-10 16:39 44 --a------ C:\WINDOWS\73334xxx00_AN.PJT 2008-07-10 16:12 . 2008-07-10 16:12 44 --a------ C:\WINDOWS\73334xxx00_BE.PJT .((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-16 06:29 --------- d-----w C:\Program Files\Google2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll2007-02-08 08:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll. (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'Realtime Monitor'='C:\PROGRA~1\CA\ETRUST~1ealmon.exe' [2003-02-13 11:25 493024]'niDevMon'='C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe' [2007-02-24 02:34 92960]'TPPOLL10'='C:\Program Files\PenScope\PenScope\TPPOLL10.EXE' [2007-05-10 20:57 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]'CTFMON.EXE'='C:\WINDOWS\System32\CTFMON.EXE' [2004-08-04 14:00 15360] C:\Documents and Settings\brlabor4\Start Menu\Programs\Startup\Shortcut to hardcopy.lnk - C:\Program Files\Hardcopy\hardcopy.exe [2004-07-26 18:49:30 1093632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]'DisableCAD'= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversionun-]'MSMSGS'='C:\Program Files\Messenger\MSMSGS.EXE' /background [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]'EnableFirewall'= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]'%windir%\system32\sessmgr.exe'='%windir%\Network Diagnostic\xpnetdiag.exe'= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]'10010:TCP'= 10010:TCP:190.100.0.0/255.255.0.0:Enabled:AdAware'2868:TCP'= 2868:TCP:190.100.0.0/255.255.0.0:Enabled:NVC R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers
ipalk.sys [2007-02-15 22:59]R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers
ipbcfk.sys [2007-02-15 17:23]R2 CameraMonitor;FLIR Camera Monitor;C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe [2006-06-08 13:58]R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 10:01]R2 glpntdrv;glpntdrv;C:\WINDOWS\system32\drivers\glpntdrv.sys [1998-11-25 17:48]R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 02:29]R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX
imxs.exe [2007-02-22 08:46]R2 ni488enumsvc;NI-488.2 Enumeration Service;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nidevldu;NI Device Loader;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers
ipxirmkl.sys [2007-02-22 11:18]R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe [2007-02-06 22:47]R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys [2007-02-23 10:25]R3 nidimk;nidimk;C:\WINDOWS\system32\drivers
idimkl.sys [2007-02-21 22:20]R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers
imdbgkl.sys [2007-02-21 21:46]R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers
imru2kl.sys [2007-02-21 22:39]R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers
imstskl.sys [2007-02-25 20:12]R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers
imxdfkl.sys [2007-02-21 22:10]S2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);C:\WINDOWS\system32\Drivers\icd2w2k.sys [2004-03-22 02:43]S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 02:27]S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 02:41]S3 DCamUSBTP10;Pen Scope;C:\WINDOWS\system32\Drivers\TP6810.sys [2007-07-26 19:56]S3 FLIRUSBNET;FLIR USB Network Adapter;C:\WINDOWS\system32\DRIVERS\FLIRUSB.sys [2006-05-05 13:20]S3 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.sys [2007-01-11 10:18]S3 ni1006k;NI PXI-1006 Chassis Pilot;C:\WINDOWS\system32\drivers
i1006k.sys [2007-02-22 11:40]S3 ni1045k;NI PXI-1045 Chassis Pilot;C:\WINDOWS\system32\drivers
i1045kl.sys [2007-02-22 11:43]S3 ni488lock;NI-488.2 Locking Service;C:\WINDOWS\system32\drivers
i488lock.sys [2007-02-26 12:40]S3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers
icdrkl.sys [2007-02-22 18:18]S3 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers
idmxfkl.sys [2007-02-25 20:12]S3 nidsark;nidsark;C:\WINDOWS\system32\drivers
idsarkl.sys [2007-02-23 17:43]S3 niemrk;niemrk;C:\WINDOWS\system32\drivers
iemrkl.sys [2007-02-25 19:13]S3 niesrk;niesrk;C:\WINDOWS\system32\drivers
iesrkl.sys [2007-02-25 19:13]S3 nifslk;nifslk;C:\WINDOWS\system32\drivers
ifslkl.sys [2007-02-22 13:21]S3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers
imsdrkl.sys [2007-02-25 20:10]S3 nimslk;nimslk;C:\WINDOWS\system32\drivers
imslk.dll [2006-12-18 12:55]S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers
imsrlk.dll [2006-12-18 12:55]S3 nimxpk;nimxpk;C:\WINDOWS\system32\drivers
imxpkl.sys [2007-02-22 13:26]S3 ninshsdk;ninshsdk;C:\WINDOWS\system32\drivers
inshsdkl.sys [2007-02-23 17:25]S3 niorbk;niorbk;C:\WINDOWS\system32\drivers
iorbkl.sys [2007-02-21 21:39]S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers
ipalfwedl.sys [2007-02-15 23:00]S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers
ipalusbedl.sys [2007-02-15 23:00]S3 nipxigpk;NI PXI Generic Chassis Pilot;C:\WINDOWS\system32\drivers
ipxigpk.sys [2007-02-22 11:45]S3 niscdk;niscdk;C:\WINDOWS\system32\drivers
iscdkl.sys [2007-02-26 16:31]S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers
isdigkl.sys [2007-02-25 19:11]S3 nisftk;nisftk;C:\WINDOWS\system32\drivers
isftkl.sys [2007-02-24 00:17]S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers
ismbusk.sys [2007-02-22 11:34]S3 nispdk;nispdk;C:\WINDOWS\system32\drivers
ispdkl.sys [2007-02-26 16:31]S3 nissrk;nissrk;C:\WINDOWS\system32\drivers
issrkl.sys [2007-02-25 19:13]S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers
istc2kl.sys [2007-02-22 20:17]S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers
istcrkl.sys [2007-02-23 03:14]S3 niswdk;niswdk;C:\WINDOWS\system32\drivers
iswdkl.sys [2007-02-23 20:44]S3 nitiork;nitiork;C:\WINDOWS\system32\drivers
itiorkl.sys [2007-02-23 15:54]S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys [2007-02-22 10:42]S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys [2007-02-23 10:25]S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers
iwfrkl.sys [2007-02-25 19:13]S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers
ixsrkl.sys [2007-02-25 19:13]S3 TTUSB1;TTUSB1.SYS TechTools USB device driver;C:\WINDOWS\system32\Drivers\TTUSB1.sys [2007-06-25 07:31]S3 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.sys [2007-02-25 19:11] .- - - - ORPHANS REMOVED - - - - HKLM-Run-msdefender - C:\WINDOWS\system32\msdefender.exeHKLM-Run-lanmanwrk.exe clean - C:\WINDOWS\System32\lanmanwrk.exeHKLM-Run-KernelDrv.exe clean - C:\WINDOWS\System32\KernelDrv.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-16 15:35:14Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0 **************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\CA\eTrust Antivirus\InoRpc.exeC:\Program Files\CA\eTrust Antivirus\InoRT.exeC:\Program Files\CA\eTrust Antivirus\InoTask.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\National Instruments\Shared\Security
idmsrv.exeC:\WINDOWS\system32
isvcloc.exe.**************************************************************************.Completion time: 2008-07-16 15:37:54 - machine was rebooted [Administrator]ComboFix-quarantined-files.txt  2008-07-16 13:37:47 Pre-Run: 3,730,567,168 bytes freePost-Run: 3,659,853,824 bytes free 245 --- E O F --- 2008-07-16 10:23:00

bamajim · Answer

aqua08

Drat! :smileysad:

Appologies. I made a typo error.

We are going to have to do this again

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\system32\drivers\843lozjc.exe
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\opurerdp.tmp
C:\WINDOWS\system32\wpx33.cpx
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image

You will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

bamajim · Answer

aqua08

Not near as long as some I have seen

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\system32\drivers\843lozjc.exe
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\opurerdp.tmp
C:\WINDOWS\system32\wpx33.cpx
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe

Folder::
C:\Temp\gis63c50

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image

You will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

aqua08 · Answer

So.. latest log... Looking good?         ComboFix 08-07-14.2 - Administrator 2008-07-16 16:47:42.3 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.691 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Desktop\combofix\ComboFix.exeCommand switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE ::C:\WINDOWS\logo1_.exeC:\WINDOWSundl132.dllC:\WINDOWSundll16.exeC:\WINDOWS\system32\drivers\843lozjc.exeC:\WINDOWS\system32\iifgfgf.dllC:\WINDOWS\system32\kcopt.dllC:\WINDOWS\system32\opurerdp.tmpC:\WINDOWS\system32\vcmgcd32.dllC:\WINDOWS\system32\wpx33.cpxC:\WINDOWS\zts2.exe. (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))). C:\WINDOWS\system32\drivers\843lozjc.exeC:\WINDOWS\system32\kcopt.dllC:\WINDOWS\system32\opurerdp.tmpC:\WINDOWS\system32\wpx33.cpx .(((((((((((((((((((((((((   Files Created from 2008-06-16 to 2008-07-16  ))))))))))))))))))))))))))))))). 2008-07-16 13:33 . 2008-07-16 13:33   d-------- C:\WINDOWS\msapps 2008-07-16 12:46 . 2008-07-16 12:46 0 --a------ C:\12.tmp 2008-07-16 12:43 . 2008-07-16 12:43   d-------- C:\Program Files\Lavasoft 2008-07-16 12:40 . 2008-07-16 12:41   d-------- C:\Program Files\ClearProg 2008-07-16 12:23 . 2008-07-16 12:23   d-------- C:\Program Files\MSXML 4.0 2008-07-16 12:04 . 2004-08-04 14:00 119,808 --a--c--- C:\WINDOWS\system32\dllcache\winmine.exe 2008-07-16 12:04 . 2004-08-04 14:00 113,222 --a--c--- C:\WINDOWS\system32\dllcache\zoneclim.dll 2008-07-16 12:04 . 2004-08-04 14:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-07-16 12:04 . 2004-08-04 14:00 41,029 --a--c--- C:\WINDOWS\system32\dllcache\zcorem.dll 2008-07-16 12:04 . 2004-08-04 14:00 36,937 --a--c--- C:\WINDOWS\system32\dllcache\zclientm.exe 2008-07-16 12:04 . 2004-08-04 14:00 29,760 --a--c--- C:\WINDOWS\system32\dllcache\znetm.dll 2008-07-16 12:04 . 2004-08-04 14:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2008-07-16 12:04 . 2004-08-04 14:00 13,894 --a--c--- C:\WINDOWS\system32\dllcache\zonelibm.dll 2008-07-16 12:04 . 2004-08-04 14:00 4,677 --a--c--- C:\WINDOWS\system32\dllcache\zeeverm.dll 2008-07-16 12:02 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-07-16 12:01 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-07-16 12:00 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll 2008-07-16 11:58 . 2004-08-04 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
wc.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
cpa.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-07-16 10:04 . 2008-07-16 10:04 23,484 --a------ C:\WINDOWS\Microsoft Outlook.FAV 2008-07-16 09:48 . 2008-02-12 14:59 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll 2008-07-16 09:48 . 2008-02-12 02:48 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll 2008-07-16 09:39 . 2008-02-12 03:13 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys 2008-07-16 09:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\ 003374_.tmp 2008-07-16 08:14 . 2008-07-16 08:14   d-------- C:\Program Files\Trend Micro 2008-07-16 07:53 . 2008-07-16 08:30   d-------- C:\HJT 2008-07-16 07:42 . 2008-07-16 07:43   d-------- C:\Desktop 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\zts2.exe 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\system32\vcmgcd32.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\system32\iifgfgf.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWSundll16.exe 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWSundl132.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\logo1_.exe 2008-07-16 07:05 . 2008-07-16 12:43   d-------- C:\Documents and Settings\brlabor4\Application Data\Lavasoft 2008-07-16 07:05 . 2008-07-16 13:42   d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-07-15 16:08 . 2008-07-16 07:05   d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-15 13:16 . 2008-07-15 13:16 0 --a------ C:\23990098.$$$ 2008-07-15 11:17 . 2008-07-15 11:42 26 --a------ C:\WINDOWS\Lic.xxx 2008-07-15 11:16 . 2008-07-15 13:52   d-------- C:\Temp\AVCBack 2008-07-15 11:16 . 2004-08-04 01:56 146,432 --a------ C:\WINDOWS\R.COM 2008-07-15 11:16 . 2004-08-04 01:56 135,680 --a------ C:\WINDOWS\system32\T.COM 2008-07-15 11:09 . 2008-07-15 11:09   d-------- C:\Temp\F-Secure 2008-07-15 11:03 . 2008-07-15 11:03 300 --a------ C:\WINDOWS\wininit.ini 2008-07-15 10:33 . 2008-07-16 07:08   d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-10 16:39 . 2008-07-10 16:39 44 --a------ C:\WINDOWS\73334xxx00_AN.PJT 2008-07-10 16:12 . 2008-07-10 16:12 44 --a------ C:\WINDOWS\73334xxx00_BE.PJT .((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-16 10:46 14,336 ----a-w C:\WINDOWS\system32\svchost.exe2008-07-16 06:29 --------- d-----w C:\Program Files\Google2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll2007-02-08 08:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll. (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'Realtime Monitor'='C:\PROGRA~1\CA\ETRUST~1ealmon.exe' [2003-02-13 11:25 493024]'niDevMon'='C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe' [2007-02-24 02:34 92960]'TPPOLL10'='C:\Program Files\PenScope\PenScope\TPPOLL10.EXE' [2007-05-10 20:57 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]'CTFMON.EXE'='C:\WINDOWS\System32\CTFMON.EXE' [2004-08-04 14:00 15360] C:\Documents and Settings\brlabor4\Start Menu\Programs\Startup\Shortcut to hardcopy.lnk - C:\Program Files\Hardcopy\hardcopy.exe [2004-07-26 18:49:30 1093632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]'DisableCAD'= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversionun-]'MSMSGS'='C:\Program Files\Messenger\MSMSGS.EXE' /background [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]'EnableFirewall'= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]'%windir%\system32\sessmgr.exe'='%windir%\Network Diagnostic\xpnetdiag.exe'= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]'10010:TCP'= 10010:TCP:190.100.0.0/255.255.0.0:Enabled:AdAware'2868:TCP'= 2868:TCP:190.100.0.0/255.255.0.0:Enabled:NVC R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers
ipalk.sys [2007-02-15 22:59]R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers
ipbcfk.sys [2007-02-15 17:23]R2 CameraMonitor;FLIR Camera Monitor;C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe [2006-06-08 13:58]R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 10:01]R2 glpntdrv;glpntdrv;C:\WINDOWS\system32\drivers\glpntdrv.sys [1998-11-25 17:48]R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 02:29]R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX
imxs.exe [2007-02-22 08:46]R2 ni488enumsvc;NI-488.2 Enumeration Service;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nidevldu;NI Device Loader;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers
ipxirmkl.sys [2007-02-22 11:18]R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe [2007-02-06 22:47]R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys [2007-02-23 10:25]R3 nidimk;nidimk;C:\WINDOWS\system32\drivers
idimkl.sys [2007-02-21 22:20]R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers
imdbgkl.sys [2007-02-21 21:46]R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers
imru2kl.sys [2007-02-21 22:39]R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers
imstskl.sys [2007-02-25 20:12]R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers
imxdfkl.sys [2007-02-21 22:10]S2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);C:\WINDOWS\system32\Drivers\icd2w2k.sys [2004-03-22 02:43]S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 02:27]S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 02:41]S3 DCamUSBTP10;Pen Scope;C:\WINDOWS\system32\Drivers\TP6810.sys [2007-07-26 19:56]S3 FLIRUSBNET;FLIR USB Network Adapter;C:\WINDOWS\system32\DRIVERS\FLIRUSB.sys [2006-05-05 13:20]S3 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.sys [2007-01-11 10:18]S3 ni1006k;NI PXI-1006 Chassis Pilot;C:\WINDOWS\system32\drivers
i1006k.sys [2007-02-22 11:40]S3 ni1045k;NI PXI-1045 Chassis Pilot;C:\WINDOWS\system32\drivers
i1045kl.sys [2007-02-22 11:43]S3 ni488lock;NI-488.2 Locking Service;C:\WINDOWS\system32\drivers
i488lock.sys [2007-02-26 12:40]S3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers
icdrkl.sys [2007-02-22 18:18]S3 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers
idmxfkl.sys [2007-02-25 20:12]S3 nidsark;nidsark;C:\WINDOWS\system32\drivers
idsarkl.sys [2007-02-23 17:43]S3 niemrk;niemrk;C:\WINDOWS\system32\drivers
iemrkl.sys [2007-02-25 19:13]S3 niesrk;niesrk;C:\WINDOWS\system32\drivers
iesrkl.sys [2007-02-25 19:13]S3 nifslk;nifslk;C:\WINDOWS\system32\drivers
ifslkl.sys [2007-02-22 13:21]S3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers
imsdrkl.sys [2007-02-25 20:10]S3 nimslk;nimslk;C:\WINDOWS\system32\drivers
imslk.dll [2006-12-18 12:55]S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers
imsrlk.dll [2006-12-18 12:55]S3 nimxpk;nimxpk;C:\WINDOWS\system32\drivers
imxpkl.sys [2007-02-22 13:26]S3 ninshsdk;ninshsdk;C:\WINDOWS\system32\drivers
inshsdkl.sys [2007-02-23 17:25]S3 niorbk;niorbk;C:\WINDOWS\system32\drivers
iorbkl.sys [2007-02-21 21:39]S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers
ipalfwedl.sys [2007-02-15 23:00]S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers
ipalusbedl.sys [2007-02-15 23:00]S3 nipxigpk;NI PXI Generic Chassis Pilot;C:\WINDOWS\system32\drivers
ipxigpk.sys [2007-02-22 11:45]S3 niscdk;niscdk;C:\WINDOWS\system32\drivers
iscdkl.sys [2007-02-26 16:31]S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers
isdigkl.sys [2007-02-25 19:11]S3 nisftk;nisftk;C:\WINDOWS\system32\drivers
isftkl.sys [2007-02-24 00:17]S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers
ismbusk.sys [2007-02-22 11:34]S3 nispdk;nispdk;C:\WINDOWS\system32\drivers
ispdkl.sys [2007-02-26 16:31]S3 nissrk;nissrk;C:\WINDOWS\system32\drivers
issrkl.sys [2007-02-25 19:13]S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers
istc2kl.sys [2007-02-22 20:17]S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers
istcrkl.sys [2007-02-23 03:14]S3 niswdk;niswdk;C:\WINDOWS\system32\drivers
iswdkl.sys [2007-02-23 20:44]S3 nitiork;nitiork;C:\WINDOWS\system32\drivers
itiorkl.sys [2007-02-23 15:54]S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys [2007-02-22 10:42]S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys [2007-02-23 10:25]S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers
iwfrkl.sys [2007-02-25 19:13]S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers
ixsrkl.sys [2007-02-25 19:13]S3 TTUSB1;TTUSB1.SYS TechTools USB device driver;C:\WINDOWS\system32\Drivers\TTUSB1.sys [2007-06-25 07:31]S3 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.sys [2007-02-25 19:11] .************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-16 16:50:08Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0 **************************************************************************.Completion time: 2008-07-16 16:51:14ComboFix-quarantined-files.txt  2008-07-16 14:51:07ComboFix2.txt  2008-07-16 14:29:04ComboFix3.txt  2008-07-16 13:37:57 Pre-Run: 3,618,713,600 bytes freePost-Run: 3,608,424,448 bytes free 191 --- E O F --- 2008-07-16 10:23:00

aqua08 · Answer

ComboFix finished.. there hasn´t been opened a Log as before, but I think it overwrote the ComboFix.txt on C:\ ?   So this would be the result:   ComboFix 08-07-14.2 - Administrator 2008-07-16 16:25:23.2 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.704 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Desktop\combofix\ComboFix.exeCommand switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!. (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))). C:\Temp\gis63c50 .(((((((((((((((((((((((((   Files Created from 2008-06-16 to 2008-07-16  ))))))))))))))))))))))))))))))). 2008-07-16 13:43 . 2008-07-16 13:43 36,352 --a------ C:\WINDOWS\system32\drivers\843lozjc.exe2008-07-16 13:33 . 2008-07-16 13:33   d-------- C:\WINDOWS\msapps 2008-07-16 13:13 . 2008-07-16 13:41 34,468 --a------ C:\WINDOWS\system32\kcopt.dll 2008-07-16 12:47 . 2008-07-16 12:47 29 --a------ C:\WINDOWS\system32\opurerdp.tmp 2008-07-16 12:46 . 2008-07-16 12:46 15,360 --a------ C:\WINDOWS\system32\wpx33.cpx 2008-07-16 12:46 . 2008-07-16 12:46 0 --a------ C:\12.tmp 2008-07-16 12:43 . 2008-07-16 12:43   d-------- C:\Program Files\Lavasoft 2008-07-16 12:40 . 2008-07-16 12:41   d-------- C:\Program Files\ClearProg 2008-07-16 12:23 . 2008-07-16 12:23   d-------- C:\Program Files\MSXML 4.0 2008-07-16 12:04 . 2004-08-04 14:00 119,808 --a--c--- C:\WINDOWS\system32\dllcache\winmine.exe 2008-07-16 12:04 . 2004-08-04 14:00 113,222 --a--c--- C:\WINDOWS\system32\dllcache\zoneclim.dll 2008-07-16 12:04 . 2004-08-04 14:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-07-16 12:04 . 2004-08-04 14:00 41,029 --a--c--- C:\WINDOWS\system32\dllcache\zcorem.dll 2008-07-16 12:04 . 2004-08-04 14:00 36,937 --a--c--- C:\WINDOWS\system32\dllcache\zclientm.exe 2008-07-16 12:04 . 2004-08-04 14:00 29,760 --a--c--- C:\WINDOWS\system32\dllcache\znetm.dll 2008-07-16 12:04 . 2004-08-04 14:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2008-07-16 12:04 . 2004-08-04 14:00 13,894 --a--c--- C:\WINDOWS\system32\dllcache\zonelibm.dll 2008-07-16 12:04 . 2004-08-04 14:00 4,677 --a--c--- C:\WINDOWS\system32\dllcache\zeeverm.dll 2008-07-16 12:02 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-07-16 12:01 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-07-16 12:00 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll 2008-07-16 11:58 . 2004-08-04 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
wc.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
cpa.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-07-16 10:04 . 2008-07-16 10:04 23,484 --a------ C:\WINDOWS\Microsoft Outlook.FAV 2008-07-16 09:48 . 2008-02-12 14:59 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll 2008-07-16 09:48 . 2008-02-12 02:48 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll 2008-07-16 09:39 . 2008-02-12 03:13 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys 2008-07-16 09:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\ 003374_.tmp 2008-07-16 08:14 . 2008-07-16 08:14   d-------- C:\Program Files\Trend Micro 2008-07-16 07:53 . 2008-07-16 08:30   d-------- C:\HJT 2008-07-16 07:42 . 2008-07-16 07:43   d-------- C:\Desktop 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\zts2.exe 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\system32\vcmgcd32.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\system32\iifgfgf.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWSundll16.exe 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWSundl132.dll 2008-07-16 07:05 . 2008-07-16 07:05   d-a------ C:\WINDOWS\logo1_.exe 2008-07-16 07:05 . 2008-07-16 12:43   d-------- C:\Documents and Settings\brlabor4\Application Data\Lavasoft 2008-07-16 07:05 . 2008-07-16 13:42   d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-07-15 16:08 . 2008-07-16 07:05   d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-15 13:16 . 2008-07-15 13:16 0 --a------ C:\23990098.$$$ 2008-07-15 11:17 . 2008-07-15 11:42 26 --a------ C:\WINDOWS\Lic.xxx 2008-07-15 11:16 . 2008-07-15 13:52   d-------- C:\Temp\AVCBack 2008-07-15 11:16 . 2004-08-04 01:56 146,432 --a------ C:\WINDOWS\R.COM 2008-07-15 11:16 . 2004-08-04 01:56 135,680 --a------ C:\WINDOWS\system32\T.COM 2008-07-15 11:09 . 2008-07-15 11:09   d-------- C:\Temp\F-Secure 2008-07-15 11:03 . 2008-07-15 11:03 300 --a------ C:\WINDOWS\wininit.ini 2008-07-15 10:33 . 2008-07-16 07:08   d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-10 16:39 . 2008-07-10 16:39 44 --a------ C:\WINDOWS\73334xxx00_AN.PJT 2008-07-10 16:12 . 2008-07-10 16:12 44 --a------ C:\WINDOWS\73334xxx00_BE.PJT .((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-16 10:46 14,336 ----a-w C:\WINDOWS\system32\svchost.exe2008-07-16 06:29 --------- d-----w C:\Program Files\Google2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll2007-02-08 08:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll. (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'Realtime Monitor'='C:\PROGRA~1\CA\ETRUST~1ealmon.exe' [2003-02-13 11:25 493024]'niDevMon'='C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe' [2007-02-24 02:34 92960]'TPPOLL10'='C:\Program Files\PenScope\PenScope\TPPOLL10.EXE' [2007-05-10 20:57 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]'CTFMON.EXE'='C:\WINDOWS\System32\CTFMON.EXE' [2004-08-04 14:00 15360] C:\Documents and Settings\brlabor4\Start Menu\Programs\Startup\Shortcut to hardcopy.lnk - C:\Program Files\Hardcopy\hardcopy.exe [2004-07-26 18:49:30 1093632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]'DisableCAD'= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversionun-]'MSMSGS'='C:\Program Files\Messenger\MSMSGS.EXE' /background [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]'EnableFirewall'= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]'%windir%\system32\sessmgr.exe'='%windir%\Network Diagnostic\xpnetdiag.exe'= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]'10010:TCP'= 10010:TCP:190.100.0.0/255.255.0.0:Enabled:AdAware'2868:TCP'= 2868:TCP:190.100.0.0/255.255.0.0:Enabled:NVC R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers
ipalk.sys [2007-02-15 22:59]R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers
ipbcfk.sys [2007-02-15 17:23]R2 CameraMonitor;FLIR Camera Monitor;C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe [2006-06-08 13:58]R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 10:01]R2 glpntdrv;glpntdrv;C:\WINDOWS\system32\drivers\glpntdrv.sys [1998-11-25 17:48]R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 02:29]R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX
imxs.exe [2007-02-22 08:46]R2 ni488enumsvc;NI-488.2 Enumeration Service;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nidevldu;NI Device Loader;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers
ipxirmkl.sys [2007-02-22 11:18]R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe [2007-02-06 22:47]R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys [2007-02-23 10:25]R3 nidimk;nidimk;C:\WINDOWS\system32\drivers
idimkl.sys [2007-02-21 22:20]R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers
imdbgkl.sys [2007-02-21 21:46]R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers
imru2kl.sys [2007-02-21 22:39]R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers
imstskl.sys [2007-02-25 20:12]R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers
imxdfkl.sys [2007-02-21 22:10]S2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);C:\WINDOWS\system32\Drivers\icd2w2k.sys [2004-03-22 02:43]S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 02:27]S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 02:41]S3 DCamUSBTP10;Pen Scope;C:\WINDOWS\system32\Drivers\TP6810.sys [2007-07-26 19:56]S3 FLIRUSBNET;FLIR USB Network Adapter;C:\WINDOWS\system32\DRIVERS\FLIRUSB.sys [2006-05-05 13:20]S3 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.sys [2007-01-11 10:18]S3 ni1006k;NI PXI-1006 Chassis Pilot;C:\WINDOWS\system32\drivers
i1006k.sys [2007-02-22 11:40]S3 ni1045k;NI PXI-1045 Chassis Pilot;C:\WINDOWS\system32\drivers
i1045kl.sys [2007-02-22 11:43]S3 ni488lock;NI-488.2 Locking Service;C:\WINDOWS\system32\drivers
i488lock.sys [2007-02-26 12:40]S3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers
icdrkl.sys [2007-02-22 18:18]S3 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers
idmxfkl.sys [2007-02-25 20:12]S3 nidsark;nidsark;C:\WINDOWS\system32\drivers
idsarkl.sys [2007-02-23 17:43]S3 niemrk;niemrk;C:\WINDOWS\system32\drivers
iemrkl.sys [2007-02-25 19:13]S3 niesrk;niesrk;C:\WINDOWS\system32\drivers
iesrkl.sys [2007-02-25 19:13]S3 nifslk;nifslk;C:\WINDOWS\system32\drivers
ifslkl.sys [2007-02-22 13:21]S3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers
imsdrkl.sys [2007-02-25 20:10]S3 nimslk;nimslk;C:\WINDOWS\system32\drivers
imslk.dll [2006-12-18 12:55]S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers
imsrlk.dll [2006-12-18 12:55]S3 nimxpk;nimxpk;C:\WINDOWS\system32\drivers
imxpkl.sys [2007-02-22 13:26]S3 ninshsdk;ninshsdk;C:\WINDOWS\system32\drivers
inshsdkl.sys [2007-02-23 17:25]S3 niorbk;niorbk;C:\WINDOWS\system32\drivers
iorbkl.sys [2007-02-21 21:39]S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers
ipalfwedl.sys [2007-02-15 23:00]S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers
ipalusbedl.sys [2007-02-15 23:00]S3 nipxigpk;NI PXI Generic Chassis Pilot;C:\WINDOWS\system32\drivers
ipxigpk.sys [2007-02-22 11:45]S3 niscdk;niscdk;C:\WINDOWS\system32\drivers
iscdkl.sys [2007-02-26 16:31]S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers
isdigkl.sys [2007-02-25 19:11]S3 nisftk;nisftk;C:\WINDOWS\system32\drivers
isftkl.sys [2007-02-24 00:17]S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers
ismbusk.sys [2007-02-22 11:34]S3 nispdk;nispdk;C:\WINDOWS\system32\drivers
ispdkl.sys [2007-02-26 16:31]S3 nissrk;nissrk;C:\WINDOWS\system32\drivers
issrkl.sys [2007-02-25 19:13]S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers
istc2kl.sys [2007-02-22 20:17]S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers
istcrkl.sys [2007-02-23 03:14]S3 niswdk;niswdk;C:\WINDOWS\system32\drivers
iswdkl.sys [2007-02-23 20:44]S3 nitiork;nitiork;C:\WINDOWS\system32\drivers
itiorkl.sys [2007-02-23 15:54]S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys [2007-02-22 10:42]S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys [2007-02-23 10:25]S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers
iwfrkl.sys [2007-02-25 19:13]S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers
ixsrkl.sys [2007-02-25 19:13]S3 TTUSB1;TTUSB1.SYS TechTools USB device driver;C:\WINDOWS\system32\Drivers\TTUSB1.sys [2007-06-25 07:31]S3 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.sys [2007-02-25 19:11] .************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-16 16:27:55Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0 **************************************************************************.Completion time: 2008-07-16 16:29:03ComboFix-quarantined-files.txt  2008-07-16 14:28:56ComboFix2.txt  2008-07-16 13:37:57 Pre-Run: 3,646,394,368 bytes freePost-Run: 3,635,953,664 bytes free 180 --- E O F --- 2008-07-16 10:23:00

bamajim · Answer

aqua08

Better. One more time and I think we are there

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

Folder::
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image

You will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

2. Rerun Hijackthis and post a fresh Hijackthis log as well

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

aqua08 · Answer

2nd: HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:09:51, on 16.07.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\National Instruments\MAX
imxs.exe C:\WINDOWS\system32
ipalsm.exe C:\Program Files\National Instruments\Shared\Security
idmsrv.exe C:\WINDOWS\system32
isvcloc.exe C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32
ipalsm.exe C:\PROGRA~1\CA\ETRUST~1ealmon.exe C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe C:\Program Files\PenScope\PenScope\TPPOLL10.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.5.0.150:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*; 190.100.205.*; O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1ealmon.exe -s O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe O4 - HKLM\..\Run: [TPPOLL10] C:\Program Files\PenScope\PenScope\TPPOLL10.EXE O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} (MxPEG_ActiveX Control) - http://10.5.1.96/cgi-bin/MxPEG_ActiveX.cab?dummy=9343383 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164960987482 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = glamox.local O17 - HKLM\Software\..\Telephony: DomainName = glamox.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = glamox.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = glamox.local O23 - Service: FLIR Camera Monitor (CameraMonitor) - FLIR Systems - C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX
imxs.exe O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32
ipalsm.exe O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32
ipalsm.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security
idmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32
ipalsm.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32
isvcloc.exe O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe -- End of file - 6466 bytes

aqua08 · Answer

First of all, thank you for your help!!! I will now go home, because it´s already after five pm and I began at six am today.. So I´ll read your answer tomorrow. But I hope the problem is fixed now THANK YOU AGAIN AND AGAIN ;)      1st: ComboFix Log   ComboFix 08-07-14.2 - Administrator 2008-07-16 17:05:24.4 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.695 [GMT 2:00]Running from: C:\Documents and Settings\Administrator\Desktop\combofix\ComboFix.exeCommand switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!. (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))). C:\WINDOWS\logo1_.exeC:\WINDOWSundl132.dllC:\WINDOWSundll16.exeC:\WINDOWS\system32\iifgfgf.dllC:\WINDOWS\system32\vcmgcd32.dllC:\WINDOWS\zts2.exe .(((((((((((((((((((((((((   Files Created from 2008-06-16 to 2008-07-16  ))))))))))))))))))))))))))))))). 2008-07-16 13:33 . 2008-07-16 13:33   d-------- C:\WINDOWS\msapps 2008-07-16 12:46 . 2008-07-16 12:46 0 --a------ C:\12.tmp 2008-07-16 12:43 . 2008-07-16 12:43   d-------- C:\Program Files\Lavasoft 2008-07-16 12:40 . 2008-07-16 12:41   d-------- C:\Program Files\ClearProg 2008-07-16 12:23 . 2008-07-16 12:23   d-------- C:\Program Files\MSXML 4.0 2008-07-16 12:04 . 2004-08-04 14:00 119,808 --a--c--- C:\WINDOWS\system32\dllcache\winmine.exe 2008-07-16 12:04 . 2004-08-04 14:00 113,222 --a--c--- C:\WINDOWS\system32\dllcache\zoneclim.dll 2008-07-16 12:04 . 2004-08-04 14:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2008-07-16 12:04 . 2004-08-04 14:00 41,029 --a--c--- C:\WINDOWS\system32\dllcache\zcorem.dll 2008-07-16 12:04 . 2004-08-04 14:00 36,937 --a--c--- C:\WINDOWS\system32\dllcache\zclientm.exe 2008-07-16 12:04 . 2004-08-04 14:00 29,760 --a--c--- C:\WINDOWS\system32\dllcache\znetm.dll 2008-07-16 12:04 . 2004-08-04 14:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2008-07-16 12:04 . 2004-08-04 14:00 13,894 --a--c--- C:\WINDOWS\system32\dllcache\zonelibm.dll 2008-07-16 12:04 . 2004-08-04 14:00 4,677 --a--c--- C:\WINDOWS\system32\dllcache\zeeverm.dll 2008-07-16 12:02 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-07-16 12:01 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-07-16 12:00 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll 2008-07-16 11:58 . 2004-08-04 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
wc.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 749 -rah----- C:\WINDOWS\system32
cpa.cpl.manifest 2008-07-16 11:58 . 2008-07-16 11:58 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2008-07-16 11:46 . 2004-08-04 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll 2008-07-16 10:04 . 2008-07-16 10:04 23,484 --a------ C:\WINDOWS\Microsoft Outlook.FAV 2008-07-16 09:48 . 2008-02-12 14:59 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll 2008-07-16 09:48 . 2008-02-12 02:48 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll 2008-07-16 09:39 . 2008-02-12 03:13 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys 2008-07-16 09:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\ 003374_.tmp 2008-07-16 08:14 . 2008-07-16 08:14   d-------- C:\Program Files\Trend Micro 2008-07-16 07:53 . 2008-07-16 08:30   d-------- C:\HJT 2008-07-16 07:42 . 2008-07-16 07:43   d-------- C:\Desktop 2008-07-16 07:05 . 2008-07-16 12:43   d-------- C:\Documents and Settings\brlabor4\Application Data\Lavasoft 2008-07-16 07:05 . 2008-07-16 13:42   d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-07-15 16:08 . 2008-07-16 07:05   d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-15 13:16 . 2008-07-15 13:16 0 --a------ C:\23990098.$$$ 2008-07-15 11:17 . 2008-07-15 11:42 26 --a------ C:\WINDOWS\Lic.xxx 2008-07-15 11:16 . 2008-07-15 13:52   d-------- C:\Temp\AVCBack 2008-07-15 11:16 . 2004-08-04 01:56 146,432 --a------ C:\WINDOWS\R.COM 2008-07-15 11:16 . 2004-08-04 01:56 135,680 --a------ C:\WINDOWS\system32\T.COM 2008-07-15 11:09 . 2008-07-15 11:09   d-------- C:\Temp\F-Secure 2008-07-15 11:03 . 2008-07-15 11:03 300 --a------ C:\WINDOWS\wininit.ini 2008-07-15 10:33 . 2008-07-16 07:08   d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-10 16:39 . 2008-07-10 16:39 44 --a------ C:\WINDOWS\73334xxx00_AN.PJT 2008-07-10 16:12 . 2008-07-10 16:12 44 --a------ C:\WINDOWS\73334xxx00_BE.PJT .((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-16 10:46 14,336 ----a-w C:\WINDOWS\system32\svchost.exe2008-07-16 06:29 --------- d-----w C:\Program Files\Google2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll2007-02-08 08:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll. (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'Realtime Monitor'='C:\PROGRA~1\CA\ETRUST~1ealmon.exe' [2003-02-13 11:25 493024]'niDevMon'='C:\Program Files\National Instruments\NI-DAQ\HWConfig
idevmon.exe' [2007-02-24 02:34 92960]'TPPOLL10'='C:\Program Files\PenScope\PenScope\TPPOLL10.EXE' [2007-05-10 20:57 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]'CTFMON.EXE'='C:\WINDOWS\System32\CTFMON.EXE' [2004-08-04 14:00 15360] C:\Documents and Settings\brlabor4\Start Menu\Programs\Startup\Shortcut to hardcopy.lnk - C:\Program Files\Hardcopy\hardcopy.exe [2004-07-26 18:49:30 1093632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]'DisableCAD'= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversionun-]'MSMSGS'='C:\Program Files\Messenger\MSMSGS.EXE' /background [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]'EnableFirewall'= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]'%windir%\system32\sessmgr.exe'='%windir%\Network Diagnostic\xpnetdiag.exe'= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]'10010:TCP'= 10010:TCP:190.100.0.0/255.255.0.0:Enabled:AdAware'2868:TCP'= 2868:TCP:190.100.0.0/255.255.0.0:Enabled:NVC R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers
ipalk.sys [2007-02-15 22:59]R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers
ipbcfk.sys [2007-02-15 17:23]R2 CameraMonitor;FLIR Camera Monitor;C:\Program Files\FLIR Systems\ThermaCAM QuickView 2\T3Srv.exe [2006-06-08 13:58]R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 10:01]R2 glpntdrv;glpntdrv;C:\WINDOWS\system32\drivers\glpntdrv.sys [1998-11-25 17:48]R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 02:29]R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX
imxs.exe [2007-02-22 08:46]R2 ni488enumsvc;NI-488.2 Enumeration Service;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nidevldu;NI Device Loader;C:\WINDOWS\system32
ipalsm.exe [2007-02-16 10:21]R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers
ipxirmkl.sys [2007-02-22 11:18]R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger	agsrv.exe [2007-02-06 22:47]R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys [2007-02-23 10:25]R3 nidimk;nidimk;C:\WINDOWS\system32\drivers
idimkl.sys [2007-02-21 22:20]R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers
imdbgkl.sys [2007-02-21 21:46]R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers
imru2kl.sys [2007-02-21 22:39]R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers
imstskl.sys [2007-02-25 20:12]R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers
imxdfkl.sys [2007-02-21 22:10]S2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);C:\WINDOWS\system32\Drivers\icd2w2k.sys [2004-03-22 02:43]S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 02:27]S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 02:41]S3 DCamUSBTP10;Pen Scope;C:\WINDOWS\system32\Drivers\TP6810.sys [2007-07-26 19:56]S3 FLIRUSBNET;FLIR USB Network Adapter;C:\WINDOWS\system32\DRIVERS\FLIRUSB.sys [2006-05-05 13:20]S3 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.sys [2007-01-11 10:18]S3 ni1006k;NI PXI-1006 Chassis Pilot;C:\WINDOWS\system32\drivers
i1006k.sys [2007-02-22 11:40]S3 ni1045k;NI PXI-1045 Chassis Pilot;C:\WINDOWS\system32\drivers
i1045kl.sys [2007-02-22 11:43]S3 ni488lock;NI-488.2 Locking Service;C:\WINDOWS\system32\drivers
i488lock.sys [2007-02-26 12:40]S3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers
icdrkl.sys [2007-02-22 18:18]S3 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers
idmxfkl.sys [2007-02-25 20:12]S3 nidsark;nidsark;C:\WINDOWS\system32\drivers
idsarkl.sys [2007-02-23 17:43]S3 niemrk;niemrk;C:\WINDOWS\system32\drivers
iemrkl.sys [2007-02-25 19:13]S3 niesrk;niesrk;C:\WINDOWS\system32\drivers
iesrkl.sys [2007-02-25 19:13]S3 nifslk;nifslk;C:\WINDOWS\system32\drivers
ifslkl.sys [2007-02-22 13:21]S3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers
imsdrkl.sys [2007-02-25 20:10]S3 nimslk;nimslk;C:\WINDOWS\system32\drivers
imslk.dll [2006-12-18 12:55]S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers
imsrlk.dll [2006-12-18 12:55]S3 nimxpk;nimxpk;C:\WINDOWS\system32\drivers
imxpkl.sys [2007-02-22 13:26]S3 ninshsdk;ninshsdk;C:\WINDOWS\system32\drivers
inshsdkl.sys [2007-02-23 17:25]S3 niorbk;niorbk;C:\WINDOWS\system32\drivers
iorbkl.sys [2007-02-21 21:39]S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers
ipalfwedl.sys [2007-02-15 23:00]S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers
ipalusbedl.sys [2007-02-15 23:00]S3 nipxigpk;NI PXI Generic Chassis Pilot;C:\WINDOWS\system32\drivers
ipxigpk.sys [2007-02-22 11:45]S3 niscdk;niscdk;C:\WINDOWS\system32\drivers
iscdkl.sys [2007-02-26 16:31]S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers
isdigkl.sys [2007-02-25 19:11]S3 nisftk;nisftk;C:\WINDOWS\system32\drivers
isftkl.sys [2007-02-24 00:17]S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers
ismbusk.sys [2007-02-22 11:34]S3 nispdk;nispdk;C:\WINDOWS\system32\drivers
ispdkl.sys [2007-02-26 16:31]S3 nissrk;nissrk;C:\WINDOWS\system32\drivers
issrkl.sys [2007-02-25 19:13]S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers
istc2kl.sys [2007-02-22 20:17]S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers
istcrkl.sys [2007-02-23 03:14]S3 niswdk;niswdk;C:\WINDOWS\system32\drivers
iswdkl.sys [2007-02-23 20:44]S3 nitiork;nitiork;C:\WINDOWS\system32\drivers
itiorkl.sys [2007-02-23 15:54]S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys [2007-02-22 10:42]S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys [2007-02-23 10:25]S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers
iwfrkl.sys [2007-02-25 19:13]S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers
ixsrkl.sys [2007-02-25 19:13]S3 TTUSB1;TTUSB1.SYS TechTools USB device driver;C:\WINDOWS\system32\Drivers\TTUSB1.sys [2007-06-25 07:31]S3 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.sys [2007-02-25 19:11] .************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-16 17:07:46Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0 **************************************************************************.Completion time: 2008-07-16 17:08:52ComboFix-quarantined-files.txt  2008-07-16 15:08:44ComboFix2.txt  2008-07-16 14:51:15ComboFix3.txt  2008-07-16 14:29:04ComboFix4.txt  2008-07-16 13:37:57 Pre-Run: 3,592,912,896 bytes freePost-Run: 3,582,754,816 bytes free 177 --- E O F --- 2008-07-16 10:23:00

bamajim · Answer

aqua08

You are most welcome.

The last Hijackthis log you posted is unreadable

When you compose and submit your reply, please make sure the box under your text which shows "Automatically convert carriage returns to HTML line breaks" is checked or your reply may not format correctly.

Then repost your Hijackthis log.

And in your reply give me an update on how your PC is running at this point

Microsoft MVP Consumer-Security

CastleCops Instructor

"The world is what you make of it"

aqua08 · Answer

Unfortunately I have to say, that the problem still occurred after a reboot.. The taskmanager was disabled again.. As the user immediately needed his computer back, I decided to reinstall it completely...

But thank you anyway for your help. This blog was very useful and I´ll use it again if I have another problem..

Regards

Virus & Spyware

taskmanager disabled after reboot

Was this post helpful?