 Unknown Malware Disabling A/v?, A/V found something but I don't know what |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jul 22 2008, 07:23 PM
Post
#1
|
|
 Member  Group: Members Posts: 16 Joined: 22-July 08 Member No.: 224,414  |
Deckard's System Scanner v20071014.68 Run by lynn on 2008-07-22 16:51:13 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 18: 2008-07-22 23:51:20 UTC - RP326 - Deckard's System Scanner Restore Point 17: 2008-07-22 23:36:21 UTC - RP325 - Installed Java™ 6 Update 7 16: 2008-07-22 23:11:25 UTC - RP324 - Deckard's System Scanner Restore Point 15: 2008-07-22 01:45:31 UTC - RP323 - Removed Command AntiVirus for Windows Enterprise 14: 2008-07-22 01:22:59 UTC - RP322 - Restore Operation -- First Restore Point -- 1: 2008-04-25 22:37:32 UTC - RP309 - System Checkpoint Performed disk cleanup. -- HijackThis (run as lynn.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:51:24 PM, on 7/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Authentium\AntiVirus\avinitnt.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe c:\program files\timberline office\shared\sage.servicehost.host.exe C:\Program Files\Authentium\AntiVirus\schscnt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe C:\Program Files\Sharp\Sharpdesk\SharpTray.exe C:\PVSW\Bin\w3dbsmgr.exe C:\Program Files\Sharp\Sharpdesk\sdFTP.exe C:\Documents and Settings\Lynn.HACI0\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\lynn.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe O4 - Global Startup: Reminder.lnk = CheckIn\Chklogin.exe O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009103532 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009076414 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haci0.local O17 - HKLM\Software\..\Telephony: DomainName = haci0.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haci0.local O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe -- End of file - 7054 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Sage.ServiceHost.Host.1.0 (Sage Service Host v1.0) - c:\program files\timberline office\shared\sage.servicehost.host.exe <Not Verified; Sage Software, Inc.; Data> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Process Modules ------------------------------------------------------------- C:\WINDOWS\explorer.exe (pid 592) 2006-02-03 01:23:12 135168 --a------ C:\Program Files\ScanSoft\OmniPage15.0\OpHook15.dll <Not Verified; ScanSoft, Inc.; OmniPage Pro> -- Scheduled Tasks ------------------------------------------------------------- 2008-07-21 18:48:15 344 --a------ C:\WINDOWS\Tasks\StartSetup.job 2006-05-09 09:17:28 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job -- Files created between 2008-06-22 and 2008-07-22 ----------------------------- 2008-07-22 16:49:53 0 d-------- P:\Deckard 2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files\Authentium 2008-07-21 18:47:55 0 d-------- C:\Program Files\Authentium 2008-07-21 18:36:23 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Command Software 2008-07-21 18:31:38 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Timberline 2008-07-21 18:31:17 0 d-------- C:\Program Files\Trend Micro 2008-07-21 17:19:02 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Malwarebytes 2008-07-21 17:18:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-21 17:18:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Favorites 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Microsoft 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Gtek 2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Templates 2008-07-08 12:54:21 786432 --ah----- C:\Documents and Settings\lr\NTUSER.DAT 2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\My Documents 2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Local Settings 2008-07-08 07:42:19 1236992 --a------ C:\Documents and Settings\nikki\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2008-07-22 16:41:20 0 d-------- C:\Program Files\Java 2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 07:49 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 07:46 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 07:50 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 06:20 PM] "MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 06:20 PM] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM] "Opware15"="C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" [02/03/2006 01:23 AM] "OpScheduler"="C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM] "CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [06/01/2008 04:56 PM] "cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [06/01/2008 04:55 PM] "avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [06/01/2008 04:55 PM] "dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [06/01/2008 04:55 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM] "OpAgent"="C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" [02/03/2006 01:24 AM] "SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [11/08/2001 10:37 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe [5/9/2006 10:52:02 AM] Reminder.lnk - G:\CheckIn\Chklogin.exe [3/12/2006 7:44:39 PM] Start Network Scanner Tool.lnk - C:\Program Files\Sharp\Sharpdesk\sdFTP.exe [8/2/2006 3:17:53 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER -- End of Deckard's System Scanner: finished at 2008-07-22 16:52:21 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® 4 CPU 3.00GHz CPU 1: Intel® Pentium® 4 CPU 3.00GHz Percentage of Memory in Use: 33% Physical Memory (total/avail): 1014.07 MiB / 676.12 MiB Pagefile Memory (total/avail): 2441.27 MiB / 2219.43 MiB Virtual Memory (total/avail): 2047.88 MiB / 1912.35 MiB C: is Fixed (NTFS) - 70.9 GiB total, 56.59 GiB free. D: is CDROM (CDFS) G: is Network (NTFS) K: is Network (NTFS) N: is Network (NTFS) P: is Network (NTFS) Q: is Network (NTFS) S: is Network (NTFS) T: is Network (NTFS) U: is Network (NTFS) \\.\PHYSICALDRIVE0 - WDC WD800JD-75MSA1 - 74.5 GiB - 3 partitions \PARTITION0 - Unknown - 31.35 MiB \PARTITION1 (bootable) - Installable File System - 70.9 GiB - C: \PARTITION2 - Unknown - 3.57 GiB -- Security Center ------------------------------------------------------------- AUOptions is disabled. Windows Internal Firewall is enabled. FirstRunDisabled is set. UpdatesDisableNotify is set. AV: Command AntiVirus for Windows Enterprise v73334786 (Authentium, Inc.) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:*:Enabled:Database Service Manager" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL" "C:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe"="C:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe:*:Enabled:sdFTP" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:*:Enabled:Database Service Manager" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Lynn.HACI0\Application Data CLASSPATH=C:\PVSW\BIN\PVJDBC2X.JAR;C:\PVSW\BIN\PVJDBC2.JAR CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=SM2 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=P: HOMEPATH=\ HOMESHARE=\\hal\lynn$ LOGONSERVER=\\HAL NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\Program Files\Timberline Office\Shared\;C:\Program Files\Timberline Office\Shared;C:\PVSW\BIN;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Crystal Decisions\2.0\bin;C:\Program Files\Common Files\Crystal Decisions\2.5\bin PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0403 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console Shared_Path=C:\Program Files\Timberline Office\Shared\ SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\ SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\LYNN~1.HAC\LOCALS~1\Temp TMP=C:\DOCUME~1\LYNN~1.HAC\LOCALS~1\Temp USERDNSDOMAIN=HACI0.LOCAL USERDOMAIN=HACI0 USERNAME=lynn USERPROFILE=C:\Documents and Settings\Lynn.HACI0 VSL=C:\PVSW\BIN windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- amy sherri kathy nikki Lynn.HACI0 (admin) cas judi (new local, net ready) jayme shannon lorid tanya jessica reception juanita donelle Lynn (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629} --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Accounting Client --> MsiExec.exe /X{165A57F4-5078-4769-A645-1399FABD35BD} Acowin 4.15 --> MsiExec.exe /I{25A57BE0-9A82-4ACE-8ABB-B766024F5EDD} Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Corel Photo Album 6 --> MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354} Crystal Runtime --> MsiExec.exe /I{880E72CC-AD34-4CD0-947A-2CEB1DEDF322} CrystalPatch --> MsiExec.exe /I{4DD0C9EE-0342-461A-9354-47F44860F651} Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54} Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76} Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC} DESI Labeling System --> C:\PROGRA~1\DESI\UNWISE.EXE C:\PROGRA~1\DESI\INSTALL.LOG Digital Content Portal --> MsiExec.exe /I{B702CCCE-3176-4DBF-B932-D1B8F402F330} FileMaker Pro 5.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FileMaker\FileMaker Pro 5\System\DeIsL1.isu" getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772 Intel® PRO Network Connections Drivers --> Prounstl.exe Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA} J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100} J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110} J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090} Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c} MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120} Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9} Microsoft Office Small Business Accounting 2006 --> MsiExec.exe /X{F413D795-B077-4A96-AE75-810BBA673A0E} Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7} Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B} Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A} Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst Pervasive System Analyzer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Common Files\Pervasive Software Shared\PSA\psa.isu" Pervasive.SQL Workgroup v8.10 --> C:\WINDOWS\IsUninst.exe -fC:\PVSW\DeIsL1.isu -a -c"C:\PVSW\W32PTKUN.DLL" -mpsql.mif -ppWKGRP Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA} QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0 Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6} Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382} Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629} Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205} SBA --> MsiExec.exe /I{20F51690-133A-453C-B616-1C15AB2C0EF0} ScanSoft OmniPage 15.0 --> MsiExec.exe /I{E9DCA3A9-7478-427C-9E98-765D980EF053} Search Assist --> MsiExec.exe /X{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC} Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Sharpdesk --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Sharp\Sharpdesk\Uninst.isu" -c"C:\Program Files\Sharp\Sharpdesk\uninst.dll" Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1} Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E} URL Assistant --> regsvr32 /u /s "c:\Program Files\BAE\BAE.dll" Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4" -- Application Event Log ------------------------------------------------------- Event Record #/Type10604 / Warning Event Submitted/Written: 07/22/2008 04:42:48 PM Event ID/Source: 32068 / Microsoft Fax Event Description: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly. Country/region code: '*' Area code: '*' Event Record #/Type10603 / Warning Event Submitted/Written: 07/22/2008 04:42:48 PM Event ID/Source: 32026 / Microsoft Fax Event Description: Fax Service failed to initialize any assigned fax devices (virtual or TAPI). No faxes can be sent or received until a fax device is installed. Event Record #/Type10598 / Warning Event Submitted/Written: 07/22/2008 04:23:24 PM Event ID/Source: 32068 / Microsoft Fax Event Description: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly. Country/region code: '*' Area code: '*' Event Record #/Type10597 / Warning Event Submitted/Written: 07/22/2008 04:23:24 PM Event ID/Source: 32026 / Microsoft Fax Event Description: Fax Service failed to initialize any assigned fax devices (virtual or TAPI). No faxes can be sent or received until a fax device is installed. Event Record #/Type10592 / Warning Event Submitted/Written: 07/22/2008 04:10:09 PM Event ID/Source: 5603 / WinMgmt Event Description: A provider, RegProv, has been registered in the WMI namespace, root\Authentium, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type22384 / Error Event Submitted/Written: 07/22/2008 04:12:32 PM Event ID/Source: 7034 / Service Control Manager Event Description: The avinitnt service terminated unexpectedly. It has done this 2 time(s). Event Record #/Type22383 / Error Event Submitted/Written: 07/22/2008 04:12:29 PM Event ID/Source: 7034 / Service Control Manager Event Description: The dvpapi service terminated unexpectedly. It has done this 2 time(s). Event Record #/Type22337 / Error Event Submitted/Written: 07/21/2008 06:51:52 PM Event ID/Source: 7034 / Service Control Manager Event Description: The avinitnt service terminated unexpectedly. It has done this 1 time(s). Event Record #/Type22336 / Error Event Submitted/Written: 07/21/2008 06:51:50 PM Event ID/Source: 7034 / Service Control Manager Event Description: The dvpapi service terminated unexpectedly. It has done this 1 time(s). Event Record #/Type22291 / Error Event Submitted/Written: 07/21/2008 06:43:12 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} -- End of Deckard's System Scanner: finished at 2008-07-22 16:52:21 ------------ Kaspersky run was done last night. The N drive findings are of particular concern, I'll have to investigate those separately. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, July 22, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, July 22, 2008 00:34:14 Records in database: 982552 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ G:\ K:\ N:\ P:\ Q:\ S:\ T:\ U:\ Scan statistics: Files scanned: 144359 Threat name: 8 Infected objects: 12 Suspicious objects: 0 Duration of the scan: 03:18:12 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\quarantine\file[1].jpg.Quarantined Infected: Exploit.Win32.IMG-ANI.h 1 C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\quarantine\slide712[1].htm.Quarantined Infected: Trojan-Downloader.JS.Agent.eg 1 C:\Documents and Settings\jayme\Application Data\Sun\Java\Deployment\cache\6.0\33\54407b61-639f766b Infected: Trojan.Java.ClassLoader.ao 3 C:\RECYCLER\S-1-5-21-4042160745-1055448698-3759889225-1007\Dc1112\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv712.jar-2e5cce94-2429bcd5.zip Infected: Trojan-Downloader.Java.OpenStream.c 1 C:\RECYCLER\S-1-5-21-4042160745-1055448698-3759889225-1007\Dc1112\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv712.jar-2e5cce94-2429bcd5.zip Infected: Trojan.Java.ClassLoader.h 1 C:\RECYCLER\S-1-5-21-4042160745-1055448698-3759889225-1007\Dc1112\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv712.jar-2e5cce94-2429bcd5.zip Infected: Trojan.Java.ClassLoader.d 1 G:\DOWNLOAD\Utilities\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 N:\ACCSoft\AC.exe Infected: Email-Worm.Win32.Magistr.b.corrupted 1 N:\ACCSoft\DBEdit.exe Infected: Email-Worm.Win32.Magistr.b.corrupted 1 N:\ACCSoft\SiteSetup.exe Infected: Email-Worm.Win32.Magistr.b.corrupted 1 The selected area was scanned. -------------------- Lynn
Plan as if you will live forever but live as if you might die tomorrow |
 |
 
|
|
Aug 7 2008, 12:44 PM
Post
#2
|
|
 I will eat your Malware Group: HJT Team Coach Posts: 2,237 Joined: 14-November 04 From: Ontario Member No.: 5,056 |
Hi and welcome,
Sorry for the delay. We have been backlogged. If you still need help please do the following: Enable system to show hidden files. How to: http://www.bleepingcomputer.com/tutorials/tutorial62.html don't forget to hide files/folders when we are finished cleaning. Locate & delete: (if present) C:\Documents and Settings\jayme\Application Data\Sun\Java\Deployment\cache\6.0\33\54407b61-639f766b G:\DOWNLOAD\Utilities\SmitfraudFix.exe <-- this is not malware but the tool is updated too often to keep it around. I'd like to rule out false positive on those files on N drive. Scan these 3: N:\ACCSoft\AC.exe N:\ACCSoft\DBEdit.exe N:\ACCSoft\SiteSetup.exe At this site & post results: http://www.virustotal.com/en/indexf.html Next: Please be logged into the "Lynn" account then... Click start> run> type: "%userprofile%\desktop\dss.exe" /config Hit OK> hit "scan" & post results of both logs here. ---------------------------- My additional questions: With the possible exception of "Judi" are they all local accounts or do the users have to log onto the machine from elsewhere? The "Judi" account looks like she would log into the machine from elsewhere. Correct? Reason I ask is because those kind of logins are dealt with a bit different in terms of cleanup than local logins. The N drive -- Is it Data storage only? What was on that drive before? I just find it odd that seems to be the only one affected with "Email-Worm.Win32.Magistr.b.corrupted" which is a damaged varient of: http://www.trendmicro.com/vinfo/virusencyc...2EB&VSect=T Thanks  -------------------- I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing. And to drink...a nice tall glass of adware! For dessert; can I have a bowl of the freshest worms you have please?. Never Give Up! If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware  |
|
|
|
|
Aug 7 2008, 05:18 PM
Post
#3
|
|
|
Member Group: Members Posts: 16 Joined: 22-July 08 Member No.: 224,414 |
Blender,
Thanks for getting to me. Will be about an hour before I can run DSS on system again but have started on other activities and can answer your questions now. Deleted smitfraudfix. Ran 3 files on N drive through VirusTotal. N is a mapped drive to accounting software on our server. I may be dense but couldn't figure out how to save the scan results other than copy/paste, so did that into a txt document which I have attached. There was an awful lot of text in the report, didn't want to fill up this space with all that, so attached instead. Hope that is not a problem. Can repost inline if you'd like. Judi was a local account. No users should be logging into this machine from elsewhere. This is receptionist computer; when other employees need to cover phones/front desk they log in and work from here. Thanks, Lynn
Attached File(s)
-------------------- Lynn
Plan as if you will live forever but live as if you might die tomorrow |
|
|
|
|
Aug 7 2008, 06:18 PM
Post
#4
|
|
|
Member Group: Members Posts: 16 Joined: 22-July 08 Member No.: 224,414 |
Deleted file from D&S\jayme.
Here's main.txt log from DSS. did not get second log. Let me know if I need to re-run with different switches. Deckard's System Scanner v20071014.68 Run by lynn on 2008-08-07 16:12:37 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as lynn.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:12:42 PM, on 8/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Authentium\AntiVirus\avinitnt.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe c:\program files\timberline office\shared\sage.servicehost.host.exe C:\Program Files\Authentium\AntiVirus\schscnt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe C:\Program Files\Sharp\Sharpdesk\SharpTray.exe C:\PVSW\Bin\w3dbsmgr.exe C:\Program Files\Sharp\Sharpdesk\sdFTP.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Lynn.HACI0\desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\lynn.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe O4 - Global Startup: Reminder.lnk = CheckIn\Chklogin.exe O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009103532 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009076414 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haci0.local O17 - HKLM\Software\..\Telephony: DomainName = haci0.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haci0.local O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe -- End of file - 7142 bytes -- Files created between 2008-07-07 and 2008-08-07 ----------------------------- 2008-07-22 16:49:53 0 d-------- P:\Deckard 2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files\Authentium 2008-07-21 18:47:55 0 d-------- C:\Program Files\Authentium 2008-07-21 18:36:23 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Command Software 2008-07-21 18:31:38 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Timberline 2008-07-21 18:31:17 0 d-------- C:\Program Files\Trend Micro 2008-07-21 17:19:02 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Malwarebytes 2008-07-21 17:18:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-21 17:18:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Favorites 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Microsoft 2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Gtek 2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Templates 2008-07-08 12:54:21 786432 --ah----- C:\Documents and Settings\lr\NTUSER.DAT 2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\My Documents 2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Local Settings 2008-07-08 07:42:19 1236992 --a------ C:\Documents and Settings\nikki\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2008-07-22 16:41:20 0 d-------- C:\Program Files\Java 2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 07:49 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 07:46 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 07:50 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 06:20 PM] "MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 06:20 PM] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM] "Opware15"="C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" [02/03/2006 01:23 AM] "OpScheduler"="C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM] "CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [06/01/2008 04:56 PM] "cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [06/01/2008 04:55 PM] "avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [06/01/2008 04:55 PM] "dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [06/01/2008 04:55 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM] "OpAgent"="C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" [02/03/2006 01:24 AM] "SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [11/08/2001 10:37 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe [5/9/2006 10:52:02 AM] Reminder.lnk - G:\CheckIn\Chklogin.exe [3/12/2006 7:44:39 PM] Start Network Scanner Tool.lnk - C:\Program Files\Sharp\Sharpdesk\sdFTP.exe [8/2/2006 3:17:53 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER -- End of Deckard's System Scanner: finished at 2008-08-07 16:13:17 ------------ Thanks again, Lynn -------------------- Lynn
Plan as if you will live forever but live as if you might die tomorrow |
|
|
|
|
Aug 8 2008, 12:46 PM
Post
#5
|
|
|
I will eat your Malware Group: HJT Team Coach Posts: 2,237 Joined: 14-November 04 From: Ontario Member No.: 5,056 |
Hi,
Thanks for the logs. Attaching the txt file of virustotal results is fine. Those 3 files you can delete from the N drive. Sorry about the dss scan -- I forgot to have you "check all" at the config window.  However -- since you have several accounts on the machine I would like to have a look at those too in case something strange is being started from a different user account. See, when you have several user accounts -- each user has their own desktop, settings and so on. So it is much like having 17 different computers to check. We'll use a different program for checking... If anything is found in this log we can use an admin level account to fix everyone rather than having to log into each account seperately. Since we have been working from the "Lynn" account -- I would preferr to keep working from there if possible. This will save confusion if we have to fix anything. download OTScanIT.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIT on your desktop. Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
You can close this log file. Please zip up & attach the file "OTScanIT.txt" in your next reply as it will be way too long to copy/paste log here. I ask for it zipped because we are limited in how much attachment space we have so zipping large logs will save space. Don't forget to re-enable antivirus. While waiting for me to get back -- I highly advise uninstalling older versions of Java. Old Java versions are exploitable. Go to add/remove programs and uninstall All versions of Java and J2RE except Java™ 6 Update 7 Reboot when done. Keep in mind when installing new Java versions the installer does not remove the old. Having old versions can allow malicious sites to "call up" old Java installs to carry out their exploits. I also advise uninstalling Acrobat Reader 8 & installing the new version. Your version is exploitable. New version here: http://www.adobe.com/products/acrobat/readstep2.html UNcheck google toolbar before installing Reader if you don't want it. As with Java -- Adobe installer does not check for & uninstall old versions either. Thanks ps. If no reply back from me in say 24 hours --- please shoot me a PM. -------------------- I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing. And to drink...a nice tall glass of adware! For dessert; can I have a bowl of the freshest worms you have please?. Never Give Up! If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware |
|
|
|
|
Aug 8 2008, 02:16 PM
Post
#6
|
|
|
Member Group: Members Posts: 16 Joined: 22-July 08 Member No.: 224,414 |
Here's the log. I'll work on the Java and Adobe items. It's also Friday afternoon, I have to leave early, and since I hope to avoid the office this weekend, I won't bug you unless it's well over 48 hours before I hear back from you.
As for the 3 files on N drive, I need to see what they are. Can't just go deleting files from the accounting software now, can we? Thanks again! Lynn
Attached File(s)
-------------------- Lynn
Plan as if you will live forever but live as if you might die tomorrow |
|
|
|
|
Aug 9 2008, 05:46 PM
Post
#7
|
|
|
I will eat your Malware Group: HJT Team Coach Posts: 2,237 Joined: 14-November 04 From: Ontario Member No.: 5,056 |
Hi,
Thanks for the log. I am looking at it now & will reply back shortly with recommendations. As for those 3 files on the N drive -- if they were in fact legit part of your accounting software -- I highly suggest replacing them with backups. What is the date created/modified compared to other files in that directory? I hate to see that thing get executed... I don't think it can execute properly as the scanners from VT seem to indicate a damaged virus but -- This virus can do alot of damage. http://www.trendmicro.com/vinfo/virusencyc...2EB&VSect=T You may also want to upload copies to your AV company & have them check it out. Possible the virus portion can be removed and leave file itself intact if you don't have backups. Your AV may have an option to upload suspicious files? Anyhoo -- be back shortly.
-------------------- I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing. And to drink...a nice tall glass of adware! For dessert; can I have a bowl of the freshest worms you have please?. Never Give Up! If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware |
|
|
|