Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Is Being Hijacked


  • Please log in to reply
9 replies to this topic

#1 Paraflame

Paraflame

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 08 September 2007 - 08:10 PM

Heh, rather than follow the advice of that honest merchant, I figure I'd come here and ask you guys to check my log.
:thumbsup:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:52 AM, on 9/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Games\Steam\Steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
F:\Games\Dungeon Siege 2\DungeonSiege2.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Sachmo\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "F:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188908841531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188908761640
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8064 bytes

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 09 September 2007 - 11:14 AM

  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic


#3 Paraflame

Paraflame
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 10 September 2007 - 02:57 AM

09/10/07 17:51:27 [Info]: BlackLight Engine 1.0.64 initialized
09/10/07 17:51:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/10/07 17:51:27 [Note]: 7019 4
09/10/07 17:51:27 [Note]: 7005 0
09/10/07 17:51:32 [Note]: 7006 0
09/10/07 17:51:32 [Note]: 7022 0
09/10/07 17:51:32 [Note]: 7011 536
09/10/07 17:51:32 [Note]: 7026 0
09/10/07 17:51:32 [Note]: 7026 0
09/10/07 17:51:35 [Note]: FSRAW library version 1.7.1022
09/10/07 17:57:40 [Note]: 7007 0

#4 Paraflame

Paraflame
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 10 September 2007 - 09:23 AM

Today I removed the Outpost Firewall (Agnitum) as I found it to be painful, following is a renewed HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:28 AM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Games\Steam\Steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sachmo\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "F:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188908841531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188908761640
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7751 bytes

#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 10 September 2007 - 01:10 PM

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic


#6 Paraflame

Paraflame
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 September 2007 - 03:25 AM

The link to GMER won't work for me.
Also, Gmer.net as a standalone website isn't loading.

#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 12 September 2007 - 11:46 AM

  • Download AVG Anti-rootkit from here
  • Double click on avgarkt-setup-1.1.0.42.exe to start the install of AVG Anti-rootkit
  • Click Next>
  • Click Next>
  • Click I agree
  • Click Next>
  • Click Install
  • Click Finish, your computer will now be restarted
  • Once your machine has restarted, doubleclick on the AVG Anti-rootkit shortcut on your desktop to start AVG Anti-rootkit
  • Click Perform in-depth search
  • Click Scan
  • Wait for the scan to complete
  • Right click in the middle of the window, and click Save results
  • Save it to the desktop as avgrk.csv
  • Use notepad to open that file, and post the contents as a reply to this topic
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply


#8 Paraflame

Paraflame
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 13 September 2007 - 01:11 AM

AVG Anti-rootkit didn't find anything, and wouldn't let me save the results when there were none.

DSS Log:
Deckard's System Scanner v20070905.67
Run by Sachmo on 2007-09-13 16:06:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2007-09-13 06:06:36 UTC - RP49 - Deckard's System Scanner Restore Point
6: 2007-09-12 13:32:58 UTC - RP48 - System Checkpoint
5: 2007-09-11 13:13:58 UTC - RP47 - System Checkpoint
4: 2007-09-10 04:14:50 UTC - RP46 - System Checkpoint
3: 2007-09-09 03:18:17 UTC - RP45 - System Checkpoint


-- First Restore Point --
1: 2007-09-06 23:50:04 UTC - RP43 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Sachmo.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:57 PM, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Games\Steam\Steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Sachmo\Desktop\dss.exe
C:\DOCUME~1\Sachmo\Desktop\Sachmo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "F:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188908841531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188908761640
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7664 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 fsbl-standalone (F-Secure BlackLight Beta Engine Driver) - c:\docume~1\sachmo\locals~1\temp\f-secure\blacklight\fsbldrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NGServer (Symantec Ghost Configuration Server) - c:\program files\symantec\ghost\ngserver.exe <Not Verified; Symantec New Zealand Limited; Symantec Ghost>
R3 ngdbserv (Symantec Ghost Database Service) - c:\program files\symantec\ghost\bin\dbserv.exe <Not Verified; Symantec New Zealand Limited; Symantec Ghost>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)
Device ID: PCI\VEN_1814&DEV_0302&SUBSYS_3C091186&REV_00\3&13C0B0C5&0&50
Manufacturer: D-Link
Name: D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)
PNP Device ID: PCI\VEN_1814&DEV_0302&SUBSYS_3C091186&REV_00\3&13C0B0C5&0&50
Service: RT61

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_1415147B&REV_80\3&13C0B0C5&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_1415147B&REV_80\3&13C0B0C5&0&78
Service:


-- Files created between 2007-08-13 and 2007-09-13 -----------------------------

2007-09-04 22:13:22 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-09-04 22:11:17 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-08-27 21:38:34 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-08-20 22:20:43 0 d-------- C:\Program Files\Common Files\logishrd
2007-08-17 23:41:25 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Adobe
2007-08-17 21:11:03 0 d-------- C:\Program Files\Serious Sam 2
2007-08-17 21:02:44 0 d-------- C:\Program Files\DAEMON Tools
2007-08-17 01:15:47 0 d-------- C:\Program Files\Winamp
2007-08-16 00:37:44 0 d-------- C:\Documents and Settings\Sachmo\Shared
2007-08-16 00:37:41 0 d-------- C:\Documents and Settings\Sachmo\Incomplete
2007-08-16 00:37:27 0 d-------- C:\Documents and Settings\Sachmo\Application Data\LimeWire
2007-08-16 00:37:17 0 d-------- C:\Program Files\LimeWire
2007-08-15 15:45:18 0 d-------- C:\Program Files\Microsoft Works
2007-08-15 15:43:34 0 d-------- C:\Program Files\Microsoft.NET
2007-08-15 15:41:28 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-15 15:40:15 0 d-------- C:\WINDOWS\SHELLNEW
2007-08-15 15:39:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-08-15 15:39:17 0 dr-h----- C:\MSOCache
2007-08-15 15:31:11 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Ahead
2007-08-15 15:28:53 0 d-------- C:\Program Files\Nero
2007-08-15 15:28:53 0 d-------- C:\Program Files\Common Files\Ahead
2007-08-15 15:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-15 02:42:29 0 d-------- C:\WINDOWS\system32\NtmsData
2007-08-15 02:40:23 0 d-------- C:\Documents and Settings\Sachmo\Application Data\DAEMON Tools Pro
2007-08-15 02:39:09 0 d-------- C:\Program Files\DAEMON Tools Pro
2007-08-15 02:36:48 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-08-15 02:36:48 9694 --a------ C:\WINDOWS\irunin.dat
2007-08-14 21:28:19 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-14 11:52:52 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Media Player Classic
2007-08-14 11:19:01 0 d-------- C:\Documents and Settings\Sachmo\Application Data\WinRAR
2007-08-14 11:12:21 0 d-------- C:\Documents and Settings\Sachmo\Contacts
2007-08-14 11:11:24 0 d-------- C:\Program Files\MSN Messenger
2007-08-14 10:23:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-14 10:20:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-14 10:17:45 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-14 10:17:44 0 d-------- C:\Program Files\SpywareBlaster
2007-08-14 09:31:24 163840 --a------ C:\WINDOWS\system32\unrar.dll
2007-08-14 09:31:22 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-08-14 09:31:22 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-14 09:31:22 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-14 09:31:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-14 09:31:22 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-08-14 09:31:21 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-14 09:31:21 740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-08-14 09:31:20 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-08-14 09:10:37 0 d-------- C:\WINDOWS\system32\Lang
2007-08-14 06:43:30 0 d--hs---- C:\WINDOWS\Installer
2007-08-14 06:43:29 0 d-------- C:\Program Files\Common Files\ODBC
2007-08-14 06:43:26 0 dr------- C:\Program Files
2007-08-14 06:43:26 0 d-------- C:\Program Files\Common Files
2007-08-14 06:43:26 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-08-14 06:42:59 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-08-14 06:42:59 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-08-14 06:42:59 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-08-14 06:42:59 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-08-14 06:42:59 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-08-14 06:42:59 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-08-14 06:42:59 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-08-14 06:42:59 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-08-14 06:42:59 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-08-14 06:42:59 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-08-14 06:42:59 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-08-14 06:42:59 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-08-14 06:42:59 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-08-14 06:42:59 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-08-14 06:42:59 0 dr------- C:\Documents and Settings\All Users\Documents
2007-08-14 06:42:59 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-08-14 06:40:35 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-08-14 06:40:35 0 d-------- C:\WINDOWS\system32\CatRoot
2007-08-14 06:40:29 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-08-14 06:40:29 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-08-14 06:40:29 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-08-14 06:40:29 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-08-14 06:40:06 0 d--hs---- C:\System Volume Information
2007-08-14 06:40:06 0 d-------- C:\Documents and Settings
2007-08-14 06:36:01 0 d-------- C:\WINDOWS
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\WinSxS
2007-08-14 06:36:01 0 dr------- C:\WINDOWS\Web
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\twain_32
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\wins
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\wbem
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\usmt
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\spool
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\ShellExt
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\Setup
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\ras
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\PreInstall
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\oobe
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\npp
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\mui
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\inetsrv
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\IME
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\icsxml
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\ias
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\export
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\en
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\drivers
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-08-14 06:36:01 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\dhcp
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\config
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\3076
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\2052
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1054
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1042
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1041
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1037
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1033
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1031
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1028
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system32\1025
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\system
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\security
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Resources
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\repair
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Provisioning
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\PeerNet
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\pchealth
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Network Diagnostic
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\mui
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\msapps
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\msagent
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Media
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\java
2007-08-14 06:36:01 0 d--h----- C:\WINDOWS\inf
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\ime
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Help
2007-08-14 06:36:01 0 dr--s---- C:\WINDOWS\Fonts
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\ehome
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Driver Cache
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Debug
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Cursors
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Connection Wizard
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\Config
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\AppPatch
2007-08-14 06:36:01 0 d-------- C:\WINDOWS\addins
2007-08-14 00:14:03 0 d-------- C:\Documents and Settings\Sachmo\Application Data\uTorrent
2007-08-14 00:13:45 0 d-------- C:\Program Files\uTorrent
2007-08-13 23:31:42 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Talkback
2007-08-13 23:31:29 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Mozilla
2007-08-13 23:30:19 0 d-------- C:\Program Files\MSXML 6.0
2007-08-13 23:29:37 0 d-------- C:\Program Files\MSBuild
2007-08-13 23:26:54 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-08-13 23:26:28 0 d-------- C:\Program Files\Reference Assemblies
2007-08-13 23:25:25 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-13 23:24:29 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-13 23:24:29 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-13 23:20:58 0 d-------- C:\WINDOWS\RegisteredPackages
2007-08-13 23:17:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-13 23:14:29 0 d-------- C:\WINDOWS\pss
2007-08-13 23:11:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-08-13 23:11:18 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-13 23:08:09 0 d-------- C:\WINDOWS\Sun
2007-08-13 23:08:09 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Sun
2007-08-13 23:07:43 0 d-------- C:\Program Files\Java
2007-08-13 23:07:26 0 d-------- C:\Program Files\Common Files\Java
2007-08-13 22:57:42 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Macromedia
2007-08-13 22:57:31 0 d-------- C:\Program Files\Symantec
2007-08-13 22:57:22 0 d-------- C:\Program Files\Symantec AntiVirus
2007-08-13 22:57:22 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-13 22:57:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-13 22:49:06 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-13 22:48:12 0 d-------- C:\Documents and Settings\Sachmo\Application Data\V-Safe
2007-08-13 22:19:22 0 d-------- C:\Program Files\MSXML 4.0
2007-08-13 22:17:15 0 d--h----- C:\WINDOWS\$hf_mig$
2007-08-13 22:04:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-08-13 22:00:39 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-13 21:59:04 0 d--hs---- C:\Documents and Settings\Sachmo\UserData
2007-08-13 21:45:47 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-08-13 21:45:27 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-13 21:45:27 0 d-------- C:\Program Files\DIFX
2007-08-13 21:45:25 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-08-13 21:44:45 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-08-13 21:44:22 0 d-------- C:\Program Files\Realtek Sound Manager
2007-08-13 21:44:22 0 d-------- C:\Program Files\AvRack
2007-08-13 21:44:15 0 d-------- C:\Program Files\Realtek AC97
2007-08-13 21:44:13 315392 --a------ C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2007-08-13 21:44:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 21:43:25 0 d-------- C:\WINDOWS\nview
2007-08-13 21:42:31 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-13 21:42:23 0 d-------- C:\NVIDIA
2007-08-13 21:42:03 0 d-------- C:\WINDOWS\vnDrvBas
2007-08-13 21:32:22 0 d-------- C:\Documents and Settings\Sachmo\Application Data\Identities
2007-08-13 21:32:14 0 d--h----- C:\Documents and Settings\Sachmo\Templates
2007-08-13 21:32:14 0 dr------- C:\Documents and Settings\Sachmo\Start Menu
2007-08-13 21:32:14 0 dr-h----- C:\Documents and Settings\Sachmo\SendTo
2007-08-13 21:32:14 0 dr-h----- C:\Documents and Settings\Sachmo\Recent
2007-08-13 21:32:14 0 d--h----- C:\Documents and Settings\Sachmo\PrintHood
2007-08-13 21:32:14 3145728 --ah----- C:\Documents and Settings\Sachmo\NTUSER.DAT
2007-08-13 21:32:14 0 d--h----- C:\Documents and Settings\Sachmo\NetHood
2007-08-13 21:32:14 0 dr------- C:\Documents and Settings\Sachmo\My Documents
2007-08-13 21:32:14 0 d--h----- C:\Documents and Settings\Sachmo\Local Settings
2007-08-13 21:32:14 0 dr------- C:\Documents and Settings\Sachmo\Favorites
2007-08-13 21:32:14 0 d-------- C:\Documents and Settings\Sachmo\Desktop
2007-08-13 21:32:14 0 d--hs---- C:\Documents and Settings\Sachmo\Cookies
2007-08-13 21:32:14 0 d--h----- C:\Documents and Settings\Sachmo\Application Data
2007-08-13 21:31:35 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-08-13 21:31:35 0 d-------- C:\WINDOWS\Prefetch
2007-08-13 21:31:34 249856 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-08-13 21:31:34 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-08-13 21:31:34 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-08-13 21:31:34 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-08-13 21:31:34 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-08-13 21:29:42 249856 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-08-13 21:29:42 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-08-13 21:29:42 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-08-13 21:29:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-08-13 21:29:42 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-08-13 21:26:40 0 d-------- C:\WINDOWS\system32\xircom
2007-08-13 21:26:40 0 d-------- C:\Program Files\microsoft frontpage
2007-08-13 21:26:29 249856 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-08-13 21:26:23 0 d-------- C:\Program Files\HighMAT CD Writing Wizard
2007-08-13 21:26:19 0 d-------- C:\WINDOWS\Downloaded Installations
2007-08-13 21:26:17 0 d-------- C:\Program Files\Windows Journal Viewer
2007-08-13 21:25:30 0 d-------- C:\WINDOWS\system32\URTTemp
2007-08-13 21:25:10 0 -rahs---- C:\MSDOS.SYS
2007-08-13 21:25:10 0 -rahs---- C:\IO.SYS
2007-08-13 21:25:10 0 --a------ C:\CONFIG.SYS
2007-08-13 21:25:10 0 --a------ C:\AUTOEXEC.BAT
2007-08-13 21:24:06 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-08-13 21:23:55 0 dr------- C:\WINDOWS\Offline Web Pages
2007-08-13 21:23:55 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-08-13 21:23:42 0 d--h----- C:\Program Files\WindowsUpdate
2007-08-13 21:23:24 0 d-------- C:\WINDOWS\system32\DirectX
2007-08-13 21:22:50 0 d---s---- C:\WINDOWS\Tasks
2007-08-13 21:22:49 0 d-------- C:\Program Files\Common Files\MSSoap
2007-08-13 21:22:45 0 d-------- C:\WINDOWS\srchasst
2007-08-13 21:22:44 0 d-------- C:\WINDOWS\system32\Macromed
2007-08-13 21:22:37 0 d-------- C:\Program Files\Movie Maker
2007-08-13 21:22:29 0 d-------- C:\WINDOWS\system32\Restore
2007-08-13 21:21:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-13 21:21:34 0 d-------- C:\WINDOWS\Registration
2007-08-13 21:21:26 0 d-------- C:\Program Files\Online Services
2007-08-13 21:21:19 0 d-------- C:\Program Files\Messenger
2007-08-13 21:21:15 0 d-------- C:\Program Files\MSN Gaming Zone
2007-08-13 21:20:42 0 d-------- C:\Program Files\Windows NT
2007-08-13 21:20:39 0 d-------- C:\WINDOWS\system32\MsDtc
2007-08-13 21:20:38 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2007-08-14 06:42:59 62 --ahs---- C:\Documents and Settings\Sachmo\Application Data\desktop.ini
2007-06-29 00:43:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [29/06/2007 12:43 AM]
"nwiz"="nwiz.exe" [29/06/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [29/06/2007 12:43 AM]
"SoundMan"="SOUNDMAN.EXE" [03/08/2006 05:12 AM C:\WINDOWS\soundman.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [22/11/2006 11:38 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [21/12/2006 04:29 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM]
"Resume copy"="copyfstq.exe" [24/03/2002 10:54 PM C:\WINDOWS\COPYFSTQ.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/03/2007 03:57 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 12:47 AM]
"NGServer"="C:\Program Files\Symantec\Ghost\ngserver.exe" [22/05/2001 10:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [14/08/2007 12:13 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"Steam"="F:\Games\Steam\Steam.exe" [14/08/2007 11:25 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/04/2007 08:29 AM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\autorun\autorun.exe

*Newly Created Service* - AVGARCLN
*Newly Created Service* - AVG_ANTI-ROOTKIT



-- End of Deckard's System Scanner: finished at 2007-09-13 16:09:27 ------------





DSS Extra log:

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 2047.48 MiB / 1386.41 MiB
Pagefile Memory (total/avail): 3939.88 MiB / 3394.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1958.94 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 25.5 GiB free.
D: is CDROM (Unformatted)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 186.31 GiB total, 110.06 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - ST3200822A - 186.31 GiB - 1 partition
\PARTITION0 - Installable File System - 186.31 GiB - F:

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.1.5.5010 (Symantec Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\\Games\\Steam\\Steam.exe"="F:\\Games\\Steam\\Steam.exe:*:Enabled:Steam Client"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"F:\\Games\\Steam\\SteamApps\\Paraflame@hotmail.com\\counter-strike source\\hl2.exe"="F:\\Games\\Steam\\SteamApps\\Paraflame@hotmail.com\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\Serious Sam 2\\Bin\\Sam2.exe"="C:\\Program Files\\Serious Sam 2\\Bin\\Sam2.exe:*:Enabled:Sam2"
"F:\\Games\\Steam\\SteamApps\\Paraflame@hotmail.com\\dark messiah might and magic multi-player\\mm.exe"="F:\\Games\\Steam\\SteamApps\\Paraflame@hotmail.com\\dark messiah might and magic multi-player\\mm.exe:*:Enabled:mm"
"F:\\Games\\Dungeon Siege 2\\DungeonSiege2.exe"="F:\\Games\\Dungeon Siege 2\\DungeonSiege2.exe:*:Enabled:Dungeon Siege 2 Game Executable"
"C:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"="C:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe:*:Enabled:Symantec Ghost Multicast Server for Windows"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sachmo\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PARAFLAME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sachmo
LANGID=1033
LOGONSERVER=\\PARAFLAME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Microsoft Office\Office12\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 15 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Sachmo\LOCALS~1\Temp
TMP=C:\DOCUME~1\Sachmo\LOCALS~1\Temp
USERDOMAIN=PARAFLAME
USERNAME=Sachmo
USERPROFILE=C:\Documents and Settings\Sachmo
WecVersionForRosebud.830=3
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sachmo (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
Dungeon Siege 2 --> "F:\Games\Dungeon Siege 2\UNINSTAL.EXE" /runtemp /uninstall
Dungeon Siege 2 Broken World --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A563C4F4-BE36-4956-BA0B-E02BDD9F70D5}\setup.exe" -l0x9 -removeonly
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Documents and Settings\Sachmo\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
K-Lite Codec Pack 3.3.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire PRO 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 --> MsiExec.exe /X{A20A58C4-6784-4B4B-86CC-94E2E3671033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB936509) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Serious Sam 2 --> C:\Program Files\Serious Sam 2\Bin\Uninstall.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Symantec Ghost --> MsiExec.exe /I{6C8DEA4E-DD0F-4BA9-ACA6-2F5FC354A81F}
TotalCopy 1.2 (Luki Edition) --> C:\WINDOWS\iun6002.exe "C:\WINDOWS\irunin.ini"
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb936644) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {2B581052-BF85-4AA6-91C5-7B0090712B65}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
VIA Networking Velocity-Family Giga-bit Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Velocity $VNT
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type1060 / Success
Event Submitted/Written: 09/13/2007 03:44:02 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1022 / Success
Event Submitted/Written: 09/12/2007 06:22:43 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1006 / Success
Event Submitted/Written: 09/12/2007 05:51:46 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1005 / Error
Event Submitted/Written: 09/12/2007 05:20:01 PM
Event ID/Source: 1000 / Dungeon Siege II
Event Description:
dungeonsiege2.exe2.30.0.4277unknown0.0.0.039001935

Event Record #/Type969 / Success
Event Submitted/Written: 09/11/2007 11:48:33 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1122 / Warning
Event Submitted/Written: 09/13/2007 08:01:00 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1080 / Error
Event Submitted/Written: 09/12/2007 05:51:26 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.1.1.3 for the Network Card with network address 00508DE947D8 has been
denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type1054 / Warning
Event Submitted/Written: 09/12/2007 01:33:52 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type862 / Warning
Event Submitted/Written: 09/05/2007 02:57:38 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type792 / Warning
Event Submitted/Written: 09/04/2007 10:35:38 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00508DE947D8. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2007-09-13 16:09:27 ------------







I didn't run Hijackthis again, as I saw that DSS ran it for me.

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 14 September 2007 - 01:37 PM

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download & install a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After you have installed a firewall, let me know if the popups continue

#10 Paraflame

Paraflame
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 14 September 2007 - 10:52 PM

I did have the Agnitum firewall (Outpost) installed when I created this topic, and it hadn't stopped the popups.

However I haven't had any for a while, and I will reinstall Agnitum and let you know if any come around.
You could close this topic for now if you like, I will retain a link to it and if I have any more problems I will create a new topic with a fresh HijackThis log and link back to this one as a reference.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users