Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

May Still Be Infected With Pcsrv.exe Or More....unsure


  • Please log in to reply
26 replies to this topic

#1 greenjeans63

greenjeans63

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 09 August 2007 - 01:51 PM

Hello....I am a new poster here. I've come here a lot looking at posts to try and solve problems on my pc and on others. Right now, I am trying to clean up an HP Pavilion xt963 my aunt recently bought from something called "Dial-A-Deal" in the area where she lives. The computer runs WindowsXP. I can't put it online here at home because she uses a totally different internet provider than what I do in my area, and also I don't have the correct connections (DSL cables) for it, either. So, I used what she has installed to try and clean up what I could. She has Adaware SE, Spybot S&D, and also has Defender Pro Antivirus and Firewall installed. I have done a search on the web for the specific infection, which is pcsrv.exe and have learned that it is a keylogger trojan. I tried to follow the instructions but I'm not that familiar with messing around in DOS mode, so I tried another post on another site that had somewhat different instruction.
After downloading what I was told to, I looked for the registry keys that I was told I should delete, the .dll files I was told to unregister, and a list of other files I was to look for, but the ONLY file I found that was listed was the pcsrv.exe. I couldn't do ANYTHING to the stupid computer because this trojan was constantly hogging up the resources and bogging the computer down horrible. After much frustration, I used the Defender Pro TuneUp program installed with her antivirus program, which has an option to wipe files, via Military Wiping (which says it is overwritten many times over and can't be recovered). THAT is how I finally got the executable to stop aggravating me no end, and to stop popping up every 5 seconds. It wouldn't allow me to wipe it from inside the windows folder, so I moved it to the desktop and wiped it. Now I just get a message that says windows cannot locate it, which is lovely. I don't WANT windows to locate it.
Now, I also downloaded HiJack This to my computer, and burned it to a cd so I could install it on HER computer. I then burned the HJT log, which I copied back to to my computer and have posted below. Although it's running much better, it's still running much slower than it should and I wanted to know if I needed to do more. Hope you can help, and please don't bawl me out TOO bad. I'm new at this virus stuff.

Logfile of HijackThis v1.99.1
Scan saved at 1:58:42 PM, on 8/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prtcnet.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ServicesNotify] C:\Program Files\Defender Pro\Defender Pro Anti-Scam\ServicesNotify.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm479YYUS
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFA13BBA-9675-48B3-84FB-A9D2301BCEC6}: NameServer = 204.68.227.1,204.68.227.2
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows PC service - Unknown owner - C:\WINDOWS\pcsrv.exe (file missing)

Edited by greenjeans63, 09 August 2007 - 01:52 PM.


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 20 August 2007 - 02:24 PM

Hi greenjeans63, :flowers:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

A new version of HijackThis has now been released, so before you repost your log please download and install the new version by following the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks for your patience! :thumbsup:

#3 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 21 August 2007 - 03:20 PM

Hello Falu, and thanks for anwering my post. As far as I know, I have the latest version of HJK, which is 1.99. Is there a newer one? The search engines and links keep pulling up 1.99 as the latest. Please let me know if that is incorrect.
I have posted the new log below. As I said in the first post, it tells me pcsrv.exe is missing, which is the trojan I was hoping I'd gotten completely rid of. I have since found two more trojans and sucessfully removed them.
Have a look-see and tell me if you see anything out of the ordinary. Thanks for you time.





Logfile of HijackThis v1.99.1
Scan saved at 4:14:12 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows PC service - Unknown owner - C:\WINDOWS\pcsrv.exe (file missing)

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 21 August 2007 - 05:06 PM

Hi greenjeans63, :flowers:

Please use the link I provided and you'll find the latest version. :thumbsup:

#5 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 23 August 2007 - 05:00 PM

Ok, as requested, I FINALLY located the newer version for HJK (I tried the link you gave me the first time around but for some reason it wouldn't open the page for me, so I did a search on ask.com and google for it, which is why I thought 1.99 WAS the newest version.......so sorry :flowers: ) and have posted the log below. I did run adaware se and spybot s&d again (twice each), and have been fighting all morning with two trojans; one of which keeps reinventing itself. If they show up again, I will list their names and see if you can point me in the right direction for help on their (full and complete) removal.
Thanks for your patience. :thumbsup:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:42 PM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ClocX\ClocX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Winamp Media] C:\WINDOWS\System32\qmedia.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Winamp Media] C:\WINDOWS\System32\qmedia.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows PC service - Unknown owner - C:\WINDOWS\pcsrv.exe (file missing)

--
End of file - 2552 bytes


I WOULD LIKE TO ADD THAT I ALREADY SEE FOR MYSELF THAT QMEDIA IS STILL IN THERE (One I thought I got rid of three weeks ago) AND ALSO ICQ6. THANKFULLY, PCSRV.EXE IS STILL MISSING IN ACTION. MAYBE I DID SOMETHING RIGHT AFTER ALL.

Edited by greenjeans63, 23 August 2007 - 05:04 PM.


#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 25 August 2007 - 07:56 AM

Hi greenjeans63, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Your log shows some very bad trojans on your computer:

Backdoor.Sdbot which is a Trojan horse that opens a back door and allows a remote attacker to control a computer by using Internet Relay Chat (IRC). The Trojan can update itself by checking for newer versions on the Internet.

Next to that you have Troj/Diazom-A and Troj/Agent-FZJ both of which include functionality to access the internet and communicate with a remote server via HTTP.

I would counsel you to disconnect this PC from the Internet immediately until it's clean. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Visit the following sites for more information on internet theft and when to reformat!

If you have any questions before to come to a final decision, feel free to ask.

Please let me know your decision.

#7 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 26 August 2007 - 01:12 AM

Hello again, Falu...... :flowers:
I don't know much about HJT logs, but I was afraid you were gonna say that. :thumbsup: After I posted the log, I couldn't get my antivrus to open and run, so I downloaded the free AVG version and installed it. I also downloaded their anti-root kit removal tool, but haven't messed with it, as I don't really know what I would need to remove.
Anyhoo, I installed and updated the virus database, disconnected from the internet, and immediately did a scan today, and AVG removed a Trojan, as well as 5 of it's backup copies, from my computer. (And no, I do not do any banking or shopping online, but I thank you for the warning. My computer is basically just for me to check email, play a few online games, and for me to create graphic wallpapers.)
I have several things installled that I am using to check everything out with; I have Belarc Advisor, AVG antivirus, Defender Pro Firewall, spybot s&d, Adaware SE, Rogue-remover, HJT, and Interent Cleanup. I will again post an HJT log tomorrow (after having run the AVG Antivirus again, as well as Adaware, Spybot, and anything else I have that might help) and hope you will tell me things look a little better.
I don't, as a general rule, store "sensitive" personal information on my computer. I've never personally felt that comfortable with the whole online shopping/banking scenario. It's not for me. I WILL, however, consider the full re-install if, after another HJT log, you tell me that you think I may still need to. And thank YOU for YOUR patience. :huh:

#8 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 26 August 2007 - 03:36 PM

Hello Falu....

As promised, I have posted my latest HJK log, from just a few moments ago. I ran AVG last night, with no threats detected, as well as both Adaware SE and Spybot S&D this morning. Other than the regular MRU's and tracking cookies (which I promptly took care of), I got a clean bill there, also. If you don't mind, could you give this log a once-over for me, and tell me if you would still suggest a re-install?

As I stated in my previous post, I don't use my computer for anything except for creating my wallpapers and just playing a few games here and there and for checking email. You'd think that for one who uses it for nothing more than that, I wouldn't get all tore up when it's on the fritz. Not so......I'm like a mad woman. I cannot stand for a machine to out-do me. This one's been nerve wracking, and I really wish people would invest in one of the many free antivirus applications out there, and spend just a few minutes a day protecting their computers so that when they decide to sell for a bigger/better/faster one? People like me who can't afford bigger/better/faster and who rely on "used and abused" won't feel like they've thrown money down the drain because the computer is infected with too many viruses to be useful anymore.
One more thing: I had tried for a week to get the winxp updates installed, and I was constantly denied the updates. I'm supposing maybe it was something to do with the trojans? Anyhow, I am happy to report that all 84 of the updates downloaded the other day and now my 'puter is covered in nearly every crack, nook and corner; least til they tell us we need 84 more, right?

Thanks again, Falu



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:21 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ClocX\ClocX.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 2874 bytes

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 27 August 2007 - 09:05 AM

Hi greenjeans63, :thumbsup:

We can try and clean the computer but please remember what I explained in my first post: there's no garantee that you can thrust your computer again. By the way it's a plus that you don't use your computer for financial etc. purposes.

Okay, it may be that some infection is fooling HijackThis so let's find out and do the following:

Go to C:\Program Files\Trend Micro\HijackThis\ and rename Hijackthis.exe to Analyse.exe and than reboot.
After reboot, run Analyse.exe (which is hijackthis of course) and post the log it creates in your next reply.

#10 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 27 August 2007 - 04:30 PM

Falu.......
Hello again, and here is the new log. Again, I am not that familiar with these log entries, but I am wondering about that last entry. I looked it up online, and apparently it's something to do with the HP printer. I do not, at the moment, have a printer installed, so what that would be doing popping up there I don't know. I also understand some malicious applications disguise themselves under guise of HPZipm12.exe. I don't know; maybe I'm just being paranoid. I know five trojans isn't a whole heck of a lot considering others have found far more than that on their systems, but that's 5 too many for me. Either way, here's the log and happy hunting. Just please don't find anything undesirable. LOL



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:39 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Ontrack\Internet Cleanup\onictask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\GRISOFT\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\Analyse.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Cleanup.lnk = C:\Program Files\Ontrack\Internet Cleanup\onictask.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 2766 bytes

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 29 August 2007 - 05:08 AM

Hi greenjeans63, :thumbsup:

I do not, at the moment, have a printer installed, so what that would be doing popping up there I don't know. I also understand some malicious applications disguise themselves under guise of HPZipm12.exe.


Nothing wrong with that file, you probably had one in the past.

No malware showing in HJT, but, looking at your original post, want to be sure.

1. Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

2. Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

3. Download ATF Cleaner by Atribune. Do not run it yet.

4. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

5. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

6. Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
7. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

8. Download reglooks from here and save it to your desktop.
Doubleclick reglooks.exe and wait until a logfile appears.
The log will be called result.txt.
Copy and paste the contents of this log in your next reply.

Please reboot and post result.txt along with the Dr. Web report and a fresh HijackThis log.

#12 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 29 August 2007 - 11:54 PM

Alrighty, Falu......
Lemme start by saying EEEEk!!! Boy, was I surprised!!!
So, I did as you asked, and saved the log files. The second part of the Drweb-CureIt took a little over two hours to run. Now, I don't know what the deal is with reglooks, but it did not generate a log file. The DOS prompt appeared for a split second and was gone. I clicked the reglooks again to run it a second time (thinking maybe it was something I did/didn't do right) and got the same thing--flash of the DOS prompt and then nothing. :thumbsup: Is it putting the log somewhere and I'm too stupid to figure it out? Is the fact that it didn't generate a log an indication that there's nothing to report on, or that there's something wrong with the executable? What? I hate when stuff like that happens. Just in case, I did a file search for result.txt and got nothing there either, so could you advise as to my next step on that note?
Anyhoo, below I've posted the Drweb-CureIt log and the HJK log. And let me add that I deeply appreciate your help.

RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
A0018216.reg;C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP29;Trojan.StartPage.1505;Deleted.;
A0018336.reg;C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP29;Trojan.StartPage.1505;Deleted.;
A0018337.exe;C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP29;Trojan.KillApp.30208;Deleted.;



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:52 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Ontrack\Internet Cleanup\onictask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\GRISOFT\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Cleanup.lnk = C:\Program Files\Ontrack\Internet Cleanup\onictask.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 2619 bytes

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 30 August 2007 - 04:16 AM

Hi greenjeans63, :thumbsup:

Now, I don't know what the deal is with reglooks, but it did not generate a log file. The DOS prompt appeared for a split second and was gone. I clicked the reglooks again to run it a second time (thinking maybe it was something I did/didn't do right) and got the same thing--flash of the DOS prompt and then nothing.


1. Remove anything relating to Regloooks from your desktop.

2. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

3. Download reglooks again from here and save it to your desktop.
Doubleclick reglooks.exe and wait until a logfile appears.
The log will be called result.txt.
Copy and paste the contents of this log in your next reply.

#14 greenjeans63

greenjeans63
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 AM

Posted 31 August 2007 - 09:12 PM

Hello Falu......
Looks like this time around I had some success with the reglooks. Have posted the log below. In the beginning, the file said something about not being able to locate a temp12 file. Shoulda paid more attention to that first line or two, I guess. Sorry. I have a 3 yr. old who demands my attention every 5 minutes.
Ok, log posted below..





REGLOOKS logfile

version 0.971
Fri 08/31/2007 21:57:16.04
running from: "C:\Documents and Settings\Owner\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
only standard or legit regkeys found


--- RUN / LOAD regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load"=""


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


--- AUTORUN regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ClocX"="C:\\Program Files\\ClocX\\ClocX.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKLM RunServicesOnce keys found


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKCU Run keys found


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKCU RunServicesOnce keys found


--- HKU\.DEFAULT\Run regkeys ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


--- HKU\S-1-5-18\Run regkeys ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


--- HKU\S-1-5-19\Run regkeys ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


--- HKU\S-1-5-20\Run regkeys ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
regkey does not exist


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
regkey does not exist


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
no bho's found


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
no toolbars found


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"AVG7 Shell Extension" CLSID ={9F97547E-4609-42C5-AE0C-81C61FFAEBC3} FILE ="C:\\Program Files\\Grisoft\\AVG7\\avgse.dll"
"Kaspersky Anti-Virus" CLSID ={dd230880-495a-11d1-b064-008048ec2fc5} FILE ="C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\shellex.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"AVG7 Shell Extension" CLSID ={9F97547E-4609-42C5-AE0C-81C61FFAEBC3} FILE ="C:\\Program Files\\Grisoft\\AVG7\\avgse.dll"
"Kaspersky Anti-Virus" CLSID ={dd230880-495a-11d1-b064-008048ec2fc5} FILE ="C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\shellex.dll"
"{B33DE746-DEFE-4D7A-87DB-900864B1D3A8}" ECHO is off. FILE ="C:\\Program Files\\Defender Pro\\Defender Pro PC Tune-up and Repair\\ContextHandler.dll"


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
no unknown services found


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
no unknown services found


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ac97intc
"DisplayName"="Intel® 82801 Audio Driver Install Service (WDM)"
system32\drivers\ac97intc.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFS2K
"DisplayName"="AFS2k"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AN983
"DisplayName"="ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter"
System32\DRIVERS\AN983.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Aspi32
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti-Rootkit
"DisplayName"="AVG Anti-Rootkit"
System32\DRIVERS\avgarkt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Avg7Alrt
"DisplayName"="AVG7 Alert Manager Server"
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Avg7Core
"DisplayName"="AVG7 Kernel"
\SystemRoot\System32\Drivers\avg7core.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Avg7RsW
"DisplayName"="AVG7 Wrap Driver"
\SystemRoot\System32\Drivers\avg7rsw.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Avg7RsXP
"DisplayName"="AVG7 Resident Driver XP"
\SystemRoot\System32\Drivers\avg7rsxp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Avg7UpdSvc
"DisplayName"="AVG7 Update Service"
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgArCln
"DisplayName"="Avg Anti-Rootkit Clean Driver"
System32\DRIVERS\AvgArCln.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgClean
"DisplayName"="AVG7 Clean Driver"
\SystemRoot\System32\Drivers\avgclean.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVGEMS
"DisplayName"="AVG E-mail Scanner"
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgTdi
"DisplayName"="AVG Network Redirector"
\SystemRoot\System32\Drivers\avgtdi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ENETHUSB
"DisplayName"="Speedstream Ethernet USB Adapter"
System32\DRIVERS\enethusb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameenum
"DisplayName"="Game Port Enumerator"
System32\DRIVERS\gameenum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidUsb
"DisplayName"="Microsoft HID Class Driver"
System32\DRIVERS\hidusb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HPZid412
"DisplayName"="IEEE-1284.4 Driver HPZid412"
System32\DRIVERS\HPZid412.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HPZipr12
"DisplayName"="Print Class Driver for IEEE-1284.4 HPZipr12"
System32\DRIVERS\HPZipr12.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HPZius12
"DisplayName"="USB to IEEE-1284.4 Translation Driver HPZius12"
System32\DRIVERS\HPZius12.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i81x
System32\DRIVERS\i81xnt5.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimFP0
System32\DRIVERS\wADV01nt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimFP1
System32\DRIVERS\wADV02NT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimFP2
System32\DRIVERS\wADV05NT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimFP3
System32\DRIVERS\wSiINTxx.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimFP4
System32\DRIVERS\wVchNTxx.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimTV0
System32\DRIVERS\wATV01nt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimTV1
System32\DRIVERS\wATV02NT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimTV3
System32\DRIVERS\wATV04nt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iAimTV4
System32\DRIVERS\wCh7xxNT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDriverT
"DisplayName"="InstallDriver Table Manager"
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid
"DisplayName"="Keyboard HID Driver"
System32\DRIVERS\kbdhid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kl1
"DisplayName"="Kl1"
System32\drivers\kl1.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Klif
"DisplayName"="Klif"
System32\drivers\klif.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Klmc
"DisplayName"="Klmc"
System32\drivers\klmc.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Klpf
"DisplayName"="Klpf"
System32\drivers\Klpf.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Klpid
"DisplayName"="Klpid"
System32\drivers\Klpid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ltmodem5
"DisplayName"="LT Modem Driver"
System32\DRIVERS\ltmdmnt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid
"DisplayName"="Mouse HID Driver"
System32\DRIVERS\mouhid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ms_mpu401
"DisplayName"="Microsoft MPU-401 MIDI UART Driver"
system32\drivers\msmpu401.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ODBC
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\P3
"DisplayName"="Intel PentiumIII Processor Driver"
System32\DRIVERS\p3.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCDRDRV
"DisplayName"="Pcdr CPU Helper Driver"
system32\drivers\PCDRDRV.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcdrNt
"DisplayName"="PcdrNt"
\SystemRoot\System32\drivers\PcdrNt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ps2
"DisplayName"="PS2"
System32\DRIVERS\PS2.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PxHelp20
System32\DRIVERS\PxHelp20.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtl8139
"DisplayName"="Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver"
System32\DRIVERS\RTL8139.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S3SavageNB
System32\DRIVERS\s3gnbm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardDrv
"DisplayName"="Smart Card Helper"
%SystemRoot%\System32\SCardSvr.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\serenum
"DisplayName"="Serenum Filter Driver"
system32\DRIVERS\serenum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usb
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp
"DisplayName"="Microsoft USB Generic Parent Driver"
System32\DRIVERS\usbccgp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint
"DisplayName"="Microsoft USB PRINTER Class"
System32\DRIVERS\usbprint.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbscan
"DisplayName"="USB Scanner Driver"
System32\DRIVERS\usbscan.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebPost
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi
"DisplayName"="Windows Management Instrumentation Driver Extensions"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{BFA13BBA-9675-48B3-84FB-A9D2301BCEC6}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{DA5DF539-DE1F-484F-B90B-590A0B9F5772}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
HTTPFilter: HTTPFilter\0\0
DcomLaunch: DcomLaunch\0TermService\0\0


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- STARTUP FOLDERS ---

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Cleanup.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


FINISHED

#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:34 AM

Posted 01 September 2007 - 05:04 PM

Hi greenjeans63, :thumbsup:

In the beginning, the file said something about not being able to locate a temp12 file. Shoulda paid more attention to that first line or two, I guess. Sorry. I have a 3 yr. old who demands my attention every 5 minutes.


I understand of course since 'once' we had three year olds as well but, as you know obviously, error messages are always very helpfull in identifying possible problems.

I can see that you disabled some items in your Startup through Msconfig. We need to see them because sometimes they can be malware.

Click Start > Run > type: msconfig > OK.
Select Normal Startup - load all device drivers and services.
Click OK. And when asked to restart, click No.

Please post a fresh HijackThis log!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users