CIVSC.exe & Trend Micro Won't Run?

May 26, 2009 at 09:07:53
Specs: Windows XP, Intel Pentium 4 Cpu 2.8Ghz, 2.7GHz, 2GB RAM
I have noticed over the past couple weeks, that the computer comes to a screeching hault, and when i hit CTRL ALT DELETE and check processes running, there is this CIVSC.exe running that is hogging all my computer resources.

Some digging around leads me to believe it gets transferred onto the machine every time we sync the palm (possibly documents to go?)

We have Kapersky on here already, and for some reason I'm not able to get trend micro scan to run. (Not sure if maybe its because I'm in Canada? It wont run on my home pc either).

Any ideas?


See More: CIVSC.exe & Trend Micro Wont Run?

Report •


#1
May 26, 2009 at 10:05:54
Ran a full scan with kaspersky?

--------------------------------------------
To Private Message me Click Here


Report •

#2
May 26, 2009 at 10:11:43
It didn't find anthing...

Report •

#3
May 26, 2009 at 10:31:30
Can you please post your hijackthis and AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


Report •

Related Solutions

#4
May 26, 2009 at 12:26:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:24 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection

Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks

Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection

Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkUFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Pure Networks

Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
C:\Program Files\Open Field Software\ELLA for Microsoft

Outlook\Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\PC\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL

= http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO -

{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program

Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program

Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common

Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding

-boot
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

-startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure

Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network

Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky

Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD

Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program

Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program

Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field

Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program

Files\Kaspersky Lab\Kaspersky Internet Security

2009\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics -

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program

Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE -

http://www.calgaryhomepros.com/Colp...

CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend

Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/h...

activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/win...

ent/wuweb_site.cab?1230139000234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microso...

muweb_site.cab?1245911171328
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}

(GeacRevw Control) -

http://abmls.mlxchange.com/5.0.05.4...
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62}

(QuickBooks Online Edition Utilities Class v10) -

https://accounting.quickbooks.com/c1/v23.174/qboax10.cab
O16 - DPF: {9AD9B5EB-F9E0-47D4-B20F-C29D58C6F5E1}

(IndeXMap Class) -

http://alta.registries.gov.ab.ca/Sp...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash Object) -

http://fpdownload2.macromedia.com/g...

b
O20 - AppInit_DLLs:

C:\WINDOWS\system32\wisolike.dll,C:\PROGRA~1\KASPER~1\KASPE

R~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\

PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPE

R~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. -

C:\Program Files\Common Files\ArcSoft\Connection

Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security

2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) -

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure

Networks, Inc. - C:\Program Files\Pure Networks\Network

Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure

Networks, Inc. - C:\Program Files\Common Files\Pure Networks

Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. -

C:\Program Files\Common

Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog

Devices\SoundMAX\spkrmon.exe

--
End of file - 12642 bytes

Attention !!! Database was last updated 2/8/2009 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 5/26/2009 11:35:55 AM
Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 91560
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=083220)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 8055A220
KiST = 804E26A8 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (8058D0AD->B77291DA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtClose (19) intercepted (805678DD->B77297AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805879F7->B772B1EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (8056CDC0->B772AB9C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (8057065D->B7728950), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (8059F519->B772CB7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (8058E64B->B77295AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (805952CA->B7728D92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80592D5C->B7728F92), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeviceIoControlFile (42) intercepted (8058EFB9->B772AEAC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805715E0->B772D084), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80570D64->B77290A8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (80590677->B7729110), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtFsControlFile (54) intercepted (8057AAB5->B772AD5E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (805A3B01->B772C620), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8056CD5B->B772A9F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80568D59->B7728AB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805717C7->B77293B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (80570FD7->B772CBA6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenThread (80) intercepted (8058A1C9->B77292FE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80570A6D->B7729178), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (8064E300->B7728E7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (8056A1F2->B7728C5A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueueApcThread (B4) intercepted (80591097->B772C888), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (8064F0DC->B77285D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->B772BA74), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8064EC71->B7728734), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (8058ECBE->B772CF56), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8064ED72->B77283D0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSecureConnectPort (D2) intercepted (8058F4EA->B772B08C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (8062DD17->B77296AC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (8059B1AB->B772C71A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (805A7BED->B772CBD0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80572889->B7728B08), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendProcess (FD) intercepted (8062F8F9->B772CCB4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805E046E->B772CDE0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (80649CD9->B772C54C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805822EC->B772947E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (8057E42A->B77294F0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp B7740626 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp B77409E0 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 39, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 53
Number of modules loaded: 476
Scanning memory - complete
3. Scanning disks
E:\Program Files\eNeighborhoods, Inc\eNeighborhoods\entransfer.exe >>> suspicion for Trojan.Win32.VB.aup ( 00499829 0027FAA8 00179E41 0016D284 45056)
E:\Program Files\eNeighborhoods, Inc\eNeighborhoods\eN_RegFix.exe >>> suspicion for Trojan-Downloader.Win32.Adload.cm ( 0040A330 00469053 001BA63D 00204D3F 28672)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Hooks32.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Hooks32.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSOEPlugIn.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSOEPlugIn.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\mimepp.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\mimepp.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSClassAgent.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\OFSClassAgent.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\WINDOWS\system32\wisolike.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 248906, extracted from archives: 157452, malicious software found 0, suspicions - 2
Scanning finished at 5/26/2009 12:33:13 PM
Time of scanning: 00:57:19
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference


Report •

#5
May 26, 2009 at 12:28:07
Re-read Response Number 3 and post the required files and hijackthis log to rapidshare.

--------------------------------------------
To Private Message me Click Here


Report •

#6
May 26, 2009 at 15:06:02
Ok here is the Rapidshare:

http://rapidshare.com/files/2375893...

And the HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:24 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\PC\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: Outlook Express Monitor.lnk = C:\Program Files\Open Field Software\ELLA for Microsoft Outlook\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE - http://www.calgaryhomepros.com/Colp...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/5.0.05.4...
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v23.174/qboax10.cab
O16 - DPF: {9AD9B5EB-F9E0-47D4-B20F-C29D58C6F5E1} (IndeXMap Class) - http://alta.registries.gov.ab.ca/Sp...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O20 - AppInit_DLLs: C:\WINDOWS\system32\wisolike.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 12642 bytes


Report •

#7
May 26, 2009 at 15:54:06
Follow these steps in order numbered:

1) Run this in AVZ, your computer will reboot.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\wisolike.dll','');
 DeleteFile('C:\WINDOWS\system32\wisolike.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

--------------------------------------------
To Private Message me Click Here


Report •

#8
May 26, 2009 at 15:55:25
I TINK YOU HAVE TO DOWNLOAD AVIRA ANTIVIRUS THEN SCAN YOUR PC AND DON'T FORGET TO UPDATE ITS DATABASE
FINALY YOU HAVE TO RESETUP WINDOWS

Report •

#9
Report •

#10
June 3, 2009 at 10:16:32
Is your original problem fixed?

-------------------------------------------------


Report •

#11
June 3, 2009 at 10:21:16
No.

And now all my email accounts are gone from my outlook? I know how to get them back, its just a pain in the butt to import them again. Would combofix have deleted them?


Report •

#12
June 3, 2009 at 10:38:11
No doesn't seems like it. There is no trace of CIVSC.exe in any of your logs and it doesn't appear whatever your facing is due to malware. However you might still want to run full scan with ESET/Bitdefender to make sure. Do:
http://onecare.live.com/site/en-Us/...
http://onecare.live.com/site/en-Us/...

-------------------------------------------------


Report •

#13
June 3, 2009 at 11:06:01
CIVSC only runs every time after my boss syncs his palm. It hogs 98% of the resources on the computer so I have to end the process. I honestly don't think any of those scans would have run while the process was running.

Should I just restore the computer to before the combofix and get my boss to get virus software for his palm?

Or should I get him to sync his palm and then run combofix again?


Report •

#14
June 3, 2009 at 13:08:50
Don't need to run it again. Just run kaspersky full scan and see if it finds anything.

-------------------------------------------------


Report •


Ask Question