CIVSC.exe & Trend Micro Won't Run?

Computing.Net > Forums > Security and Virus > CIVSC.exe & Trend Micro Won't Run?

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

CIVSC.exe & Trend Micro Won't Run?

Name: carolyncalgary
Date: May 26, 2009 at 09:07:53 Pacific
OS: Windows XP
CPU/Ram: Intel Pentium 4 Cpu 2.8Ghz, 2.7GHz, 2GB RAM
Subcategory: Viruses

Comment:

I have noticed over the past couple weeks, that the computer comes to a screeching hault, and when i hit CTRL ALT DELETE and check processes running, there is this CIVSC.exe running that is hogging all my computer resources.
Some digging around leads me to believe it gets transferred onto the machine every time we sync the palm (possibly documents to go?)
We have Kapersky on here already, and for some reason I'm not able to get trend micro scan to run. (Not sure if maybe its because I'm in Canada? It wont run on my home pc either).
Any ideas?

Sponsored Link

Ads by Google

Response Number 1

Name: jdk (by neoark)
Date: May 26, 2009 at 10:05:54 Pacific

Reply:

Ran a full scan with kaspersky?
--------------------------------------------
To Private Message me Click Here

Response Number 2

Name: carolyncalgary
Date: May 26, 2009 at 10:11:43 Pacific

Reply:

It didn't find anthing...

Response Number 3

Name: jdk (by neoark)
Date: May 26, 2009 at 10:31:30 Pacific

Reply:

Can you please post your hijackthis and AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.
1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.
2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.
3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator
You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.
begin
ExecuteStdScr(3);
RebootWindows(true);
end.
Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.
Image Tutorial
--------------------------------------------
To Private Message me Click Here

Response Number 4

Name: carolyncalgary
Date: May 26, 2009 at 12:26:20 Pacific

Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:24 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection
Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection
Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
C:\Program Files\Open Field Software\ELLA for Microsoft
Outlook\Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\PC\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub -
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO -
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF -
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program
Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program
Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding
-boot
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
-startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure
Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network
Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky
Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD
Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program
Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program
Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field
Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security
2009\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program
Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics -
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE -
http://www.calgaryhomepros.com/Colp...
CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend
Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/h...
activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://www.update.microsoft.com/win...
ent/wuweb_site.cab?1230139000234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://update.microsoft.com/microso...
muweb_site.cab?1245911171328
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}
(GeacRevw Control) -
http://abmls.mlxchange.com/5.0.05.4...
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62}
(QuickBooks Online Edition Utilities Class v10) -
https://accounting.quickbooks.com/c1/v23.174/qboax10.cab
O16 - DPF: {9AD9B5EB-F9E0-47D4-B20F-C29D58C6F5E1}
(IndeXMap Class) -
http://alta.registries.gov.ab.ca/Sp...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload2.macromedia.com/g...
b
O20 - AppInit_DLLs:
C:\WINDOWS\system32\wisolike.dll,C:\PROGRA~1\KASPER~1\KASPE
R~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\
PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPE
R~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. -
C:\Program Files\Common Files\ArcSoft\Connection
Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) -
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -
C:\Program Files\Common Files\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. -
C:\Program Files\Common
Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog
Devices\SoundMAX\spkrmon.exe
--
End of file - 12642 bytes
Attention !!! Database was last updated 2/8/2009 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 5/26/2009 11:35:55 AM
Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 91560
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=083220)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 8055A220
KiST = 804E26A8 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (8058D0AD->B77291DA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtClose (19) intercepted (805678DD->B77297AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805879F7->B772B1EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (8056CDC0->B772AB9C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (8057065D->B7728950), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (8059F519->B772CB7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (8058E64B->B77295AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (805952CA->B7728D92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80592D5C->B7728F92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeviceIoControlFile (42) intercepted (8058EFB9->B772AEAC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805715E0->B772D084), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80570D64->B77290A8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (80590677->B7729110), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtFsControlFile (54) intercepted (8057AAB5->B772AD5E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (805A3B01->B772C620), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8056CD5B->B772A9F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80568D59->B7728AB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805717C7->B77293B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (80570FD7->B772CBA6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenThread (80) intercepted (8058A1C9->B77292FE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80570A6D->B7729178), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (8064E300->B7728E7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (8056A1F2->B7728C5A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueueApcThread (B4) intercepted (80591097->B772C888), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (8064F0DC->B77285D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->B772BA74), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8064EC71->B7728734), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (8058ECBE->B772CF56), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8064ED72->B77283D0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSecureConnectPort (D2) intercepted (8058F4EA->B772B08C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (8062DD17->B77296AC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (8059B1AB->B772C71A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (805A7BED->B772CBD0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80572889->B7728B08), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendProcess (FD) intercepted (8062F8F9->B772CCB4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805E046E->B772CDE0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (80649CD9->B772C54C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805822EC->B772947E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (8057E42A->B77294F0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp B7740626 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp B77409E0 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 39, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 53
Number of modules loaded: 476
Scanning memory - complete
3. Scanning disks
E:\Program Files\eNeighborhoods, Inc\eNeighborhoods\entransfer.exe >>> suspicion for Trojan.Win32.VB.aup ( 00499829 0027FAA8 00179E41 0016D284 45056)
E:\Program Files\eNeighborhoods, Inc\eNeighborhoods\eN_RegFix.exe >>> suspicion for Trojan-Downloader.Win32.Adload.cm ( 0040A330 00469053 001BA63D 00204D3F 28672)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Hooks32.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Hooks32.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSOEPlugIn.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSOEPlugIn.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\mimepp.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\mimepp.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSClassAgent.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSClassAgent.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\WINDOWS\system32\wisolike.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 248906, extracted from archives: 157452, malicious software found 0, suspicions - 2
Scanning finished at 5/26/2009 12:33:13 PM
Time of scanning: 00:57:19
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

Response Number 5

Name: jdk (by neoark)
Date: May 26, 2009 at 12:28:07 Pacific

Reply:

Re-read Response Number 3 and post the required files and hijackthis log to rapidshare.
--------------------------------------------
To Private Message me Click Here

arcsoft connect arcsoft connect avp.exe	xpnetdiag.exe AVP.EXE avp.exe
See More

Response Number 6

Name: carolyncalgary
Date: May 26, 2009 at 15:06:02 Pacific

Reply:

Ok here is the Rapidshare:
http://rapidshare.com/files/2375893...
And the HiJack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:24 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\PC\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE - http://www.calgaryhomepros.com/Colp...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/5.0.05.4...
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v23.174/qboax10.cab
O16 - DPF: {9AD9B5EB-F9E0-47D4-B20F-C29D58C6F5E1} (IndeXMap Class) - http://alta.registries.gov.ab.ca/Sp...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O20 - AppInit_DLLs: C:\WINDOWS\system32\wisolike.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 12642 bytes

Response Number 7

Name: jdk (by neoark)
Date: May 26, 2009 at 15:54:06 Pacific

Reply:

Follow these steps in order numbered:
1) Run this in AVZ, your computer will reboot.
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\wisolike.dll','');
 DeleteFile('C:\WINDOWS\system32\wisolike.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
2) Attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.co...
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.
--------------------------------------------
To Private Message me Click Here

Response Number 8

Name: ABA2006
Date: May 26, 2009 at 15:55:25 Pacific

Reply:

I TINK YOU HAVE TO DOWNLOAD AVIRA ANTIVIRUS THEN SCAN YOUR PC AND DON'T FORGET TO UPDATE ITS DATABASE
FINALY YOU HAVE TO RESETUP WINDOWS

Response Number 9

Name: carolyncalgary
Date: June 3, 2009 at 09:19:58 Pacific

Reply:

http://rapidshare.com/files/2404103...

Response Number 10

Name: jdk (by neoark)
Date: June 3, 2009 at 10:16:32 Pacific

Reply:

Is your original problem fixed?
-------------------------------------------------

Response Number 11

Name: carolyncalgary
Date: June 3, 2009 at 10:21:16 Pacific

Reply:

No.
And now all my email accounts are gone from my outlook? I know how to get them back, its just a pain in the butt to import them again. Would combofix have deleted them?

Response Number 12

Name: jdk (by neoark)
Date: June 3, 2009 at 10:38:11 Pacific

Reply:

No doesn't seems like it. There is no trace of CIVSC.exe in any of your logs and it doesn't appear whatever your facing is due to malware. However you might still want to run full scan with ESET/Bitdefender to make sure. Do:
http://onecare.live.com/site/en-Us/...
http://onecare.live.com/site/en-Us/...
-------------------------------------------------

Response Number 13

Name: carolyncalgary
Date: June 3, 2009 at 11:06:01 Pacific

Reply:

CIVSC only runs every time after my boss syncs his palm. It hogs 98% of the resources on the computer so I have to end the process. I honestly don't think any of those scans would have run while the process was running.
Should I just restore the computer to before the combofix and get my boss to get virus software for his palm?
Or should I get him to sync his palm and then run combofix again?

Response Number 14

Name: jdk (by neoark)
Date: June 3, 2009 at 13:08:50 Pacific

Reply:

Don't need to run it again. Just run kaspersky full scan and see if it finds anything.
-------------------------------------------------

Sponsored Link

Ads by Google

cannot open or access son...

Infected with Trojans/wor...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: CIVSC.exe & Trend Micro Won't Run?

Tauscan Won,t Run Under winXP

Summary

www.computing.net/answers/security/tauscan-wont-run-under-winxp/16376.html

Computer won't run anything, help?

Summary

www.computing.net/answers/security/computer-wont-run-anything-help/25501.html

.exe files won't run. Please help!

Summary

www.computing.net/answers/security/exe-files-wont-run-please-help/5365.html

From the Geek Dictionary
JerkPothesis - The theories that one of your co-workers has that will never work but the m...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Framework Issues.

30-40c Temp Spikes while idle

Sony VGN-NS30E

"help me"

GeForce v Radeon

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE