Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo Popups And Other Attacks, Please Help!


  • Please log in to reply
16 replies to this topic

#1 The Lost One

The Lost One

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 16 October 2007 - 04:10 PM

OK so I tried to get rid of this outerinfo popup BS and it won't go away. I certainly didn't download it knowingly. Also, I'm having a lot of stuttering in online games and I'm sure that has something to do with it since it was fine before and comcast came out to check. Please let me know what you see in my log. I've run mcafee, and Search and Destroy and got rid of some dialers etc. that seem to keep popping up. I'm not too good at removing this stuff so please be simple with the instructions :blink:

THANKS!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:08 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1166909213\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1166909213\ee\aolsoftware.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\??crosoft\n?tdde.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlBridge.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Stamps.com Internet Postage\ipostage.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {18A20B1D-9A84-9D27-A249-EA2B2C918CCF} - C:\WINDOWS\system32\asdxjus.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166853173596
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166853841327
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...052/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7746 bytes

:thumbsup:

BC AdBot (Login to Remove)

 


m

#2 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 17 October 2007 - 08:48 AM

anyone?

#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 02:17 PM

Hi The Lost One and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#4 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 18 October 2007 - 10:13 AM

Cool thanks for helping! A program I never heard of errored while running the combofix- sed.cfexe. Here is the log:

ComboFix 07-10-17.8@ - NA 2007-10-18 10:43:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1476 [GMT -4:00]
Running from: C:\Program Files\HijackThis\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NA\Application Data\RACLE~1
C:\Documents and Settings\NA\Application Data\YMBOLS~1
C:\Documents and Settings\NA\My Documents\ASEMBL~1
C:\Documents and Settings\NA\My Documents\SSTEM~1
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\n?tdde.exe
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\stem~1
C:\Program Files\dobe~1
C:\Program Files\wnsxs~1
C:\WINDOWS\fnts~1
C:\WINDOWS\system32\asdxjus.dll
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\ssembl~1\?ssembly\
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\wnsinti.exe
C:\WINDOWS\ymbols~1
C:\WINDOWS\ystem3~1

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 10:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-14 17:35 <DIR> d-------- C:\WINDOWS\NV34282792.TMP
2007-10-12 17:18 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-10-12 17:17 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-10-12 17:17 <DIR> d--h----- C:\Documents and Settings\NA\Application Data\GTek
2007-10-12 17:17 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2007-10-10 12:30 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-08 22:44 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-08 16:32 <DIR> d-------- C:\Garmin
2007-10-08 16:32 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-10-08 16:32 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-10-08 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-10-08 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2007-10-08 14:12 36 --ah----- C:\WINDOWS\system32\f9t.dat
2007-10-07 18:07 <DIR> d-------- C:\mcafee_mcpr
2007-10-07 18:07 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-07 18:07 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-07 18:07 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-07 18:07 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-07 18:07 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-07 18:07 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-07 18:06 <DIR> d-------- C:\Program Files\McAfee
2007-10-07 18:06 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-19 00:13 <DIR> d-------- C:\Program Files\CommandBurner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 05:18 --------- d-----w C:\Program Files\Steam
2007-10-08 18:19 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-10-07 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-07 22:07 --------- d-----w C:\Program Files\mcafee.com
2007-10-07 21:25 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-07 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-12 22:13 --------- d-----w C:\Documents and Settings\NA\Application Data\Bioshock
2007-09-12 16:19 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-10 16:40 --------- d-----w C:\Documents and Settings\NA\Application Data\BestOn
2007-09-10 16:30 --------- d-----w C:\Program Files\BestOn
2007-09-10 16:29 --------- d-----w C:\Program Files\Windows Media Components
2007-09-10 16:29 --------- d-----w C:\Program Files\AIM6
2007-09-10 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-10 16:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-10 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 16:16 --------- d-----w C:\Program Files\Common Files\EZVGACam
2007-09-10 16:16 --------- d-----w C:\Documents and Settings\NA\Application Data\InstallShield
2007-08-23 23:01 --------- d-----w C:\Program Files\Google
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-27 16:15 25,008 ----a-w C:\Documents and Settings\NA\Application Data\GDIPFONTCACHEV1.DAT
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-18 02:49]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NA^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=C:\Documents and Settings\NA\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=C:\WINDOWS\pss\AOL OpenRide.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anoo]
"C:\WINDOWS\system32\SSEMBL~1\dexplore.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\AOL 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1166909213\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1166909213\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
C:\WINDOWS\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1166909213\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Touogflx]
"C:\Program Files\Common Files\??crosoft\n?tdde.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
C:\WINDOWS\tsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 BIOS;BIOS;\??\C:\WINDOWS\System32\drivers\BIOS.sys
R1 BS_I2cIo;BS_I2cIo;\??\C:\WINDOWS\System32\drivers\BS_I2cIo.sys
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 22:07:25 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-07 22:07:22 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 10:54:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 11:10:46 - machine was rebooted
.
--- E O F ---

Edited by The Lost One, 18 October 2007 - 10:49 AM.


#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 01:00 PM

You have any idea what these 2 are?

2007-10-14 17:35 <DIR> d-------- C:\WINDOWS\NV34282792.TMP

2007-10-08 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#6 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 23 October 2007 - 12:06 AM

Thanks for your help! I have no idea what those 2 entries are, should I remove them? If so how?

Here is the log:

Scanning Report
Tuesday, October 23, 2007 00:09:45 - 01:03:42
Computer name: OFFICE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 9 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 43627
System: 4698
Not scanned: 8
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 8
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_7KP7BLLHOFHLGFN
C:\WINDOWS\TEMP\MCAFEE_ZXZCJUN9VLG2KDU
C:\WINDOWS\TEMP\MCMSC_ALVC0HNIDF745UR
C:\WINDOWS\TEMP\MCMSC_KRI4BS5RDCV3QHC
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AOL 9.0A\ORGANIZE\(AOL USER ID)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AOL 9.0A\ORGANIZE\CACHE\(AOL USER ID)

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-21
F-Secure AVP: 7.0.171, 2007-10-23
F-Secure Orion: 1.2.37, 2007-10-23
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-15
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

#7 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 23 October 2007 - 12:09 AM

By the way, this is the second time I ran F-secure since the first time I accidentally lost the log window. There were 108 entries then it fixed...

I'm having a lot of trouble with online games too... I get like a 54 ping, but every so often it will freeze for a second or two. This never used to happen. It may be an issue with my connection though since it happens in xbox live also through my router. I ping different servers like google.com and get 24ms with no data loss... so I have no idea whats going on. Comcast looked at it and said it was fine.

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 October 2007 - 03:00 AM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

DirLook::
C:\WINDOWS\NV34282792.TMP
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log

#9 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 23 October 2007 - 08:43 PM

Here it is:


ComboFix 07-10-17.8@ - NA 2007-10-23 21:21:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1462 [GMT -4:00]
Running from: C:\Program Files\HijackThis\ComboFix.exe
Command switches used :: C:\Program Files\HijackThis\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-18 10:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-14 17:35 <DIR> d-------- C:\WINDOWS\NV34282792.TMP
2007-10-12 17:18 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-10-12 17:17 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-10-12 17:17 <DIR> d--h----- C:\Documents and Settings\NA\Application Data\GTek
2007-10-12 17:17 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2007-10-10 12:30 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-08 22:44 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-08 16:32 <DIR> d-------- C:\Garmin
2007-10-08 16:32 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-10-08 16:32 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-10-08 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-10-08 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2007-10-08 14:12 36 --ah----- C:\WINDOWS\system32\f9t.dat
2007-10-07 18:07 <DIR> d-------- C:\mcafee_mcpr
2007-10-07 18:07 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-07 18:07 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-07 18:07 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-07 18:07 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-07 18:07 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-07 18:07 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-07 18:06 <DIR> d-------- C:\Program Files\McAfee
2007-10-07 18:06 <DIR> d-------- C:\Program Files\Common Files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 03:32 --------- d-----w C:\Program Files\Steam
2007-10-08 18:19 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-10-07 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-07 22:07 --------- d-----w C:\Program Files\mcafee.com
2007-10-07 21:25 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-07 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-19 04:13 --------- d-----w C:\Program Files\CommandBurner
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-12 22:13 --------- d-----w C:\Documents and Settings\NA\Application Data\Bioshock
2007-09-12 16:19 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-10 16:40 --------- d-----w C:\Documents and Settings\NA\Application Data\BestOn
2007-09-10 16:30 --------- d-----w C:\Program Files\BestOn
2007-09-10 16:29 --------- d-----w C:\Program Files\Windows Media Components
2007-09-10 16:29 --------- d-----w C:\Program Files\AIM6
2007-09-10 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-10 16:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-10 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 16:16 --------- d-----w C:\Program Files\Common Files\EZVGACam
2007-09-10 16:16 --------- d-----w C:\Documents and Settings\NA\Application Data\InstallShield
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-27 16:15 25,008 ----a-w C:\Documents and Settings\NA\Application Data\GDIPFONTCACHEV1.DAT
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B} ----

2007-10-08 14:14 632 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.par
2007-10-08 14:14 276 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.dat
2007-10-08 14:14 2513557 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.exe
2007-10-08 14:14 129 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\instance.dat
2007-07-25 21:29 321108 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\mia.dll
2007-04-13 14:59 3386895 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.res
2007-04-13 14:59 263680 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.msi
2007-04-13 13:43 432056 --a------ C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\setup.bmp

---- Directory of C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8} ----

2007-10-08 14:15 92 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\instance.dat
2007-10-08 14:15 2067 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.dat
2007-10-08 14:15 13759 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.par
2007-07-25 21:29 5258418 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.res
2007-07-25 21:29 4963784 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.exe
2007-07-25 21:29 403456 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.msi
2007-07-25 21:29 321108 --a------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\mia.dll
2007-07-22 18:18 432056 -ra------ C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\setup.bmp

---- Directory of C:\WINDOWS\NV34282792.TMP ----

2007-09-17 01:07 91094 --a------ C:\WINDOWS\NV34282792.TMP\nv3d.chm
2007-09-17 01:07 54988 --a------ C:\WINDOWS\NV34282792.TMP\nvmob.chm
2007-09-17 01:07 170201 --a------ C:\WINDOWS\NV34282792.TMP\nvdsp.chm
2007-09-17 01:07 121441 --a------ C:\WINDOWS\NV34282792.TMP\nvcpl.chm


((((((((((((((((((((((((((((( snapshot@2007-10-18_10.54.54.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 20:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 20:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 20:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-10-23 13:57:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-18 02:49]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NA^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=C:\Documents and Settings\NA\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=C:\WINDOWS\pss\AOL OpenRide.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anoo]
"C:\WINDOWS\system32\SSEMBL~1\dexplore.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\AOL 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1166909213\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1166909213\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
C:\WINDOWS\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1166909213\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Touogflx]
"C:\Program Files\Common Files\??crosoft\n?tdde.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
C:\WINDOWS\tsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 BIOS;BIOS;\??\C:\WINDOWS\System32\drivers\BIOS.sys
R1 BS_I2cIo;BS_I2cIo;\??\C:\WINDOWS\System32\drivers\BS_I2cIo.sys
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 22:07:25 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-07 22:07:22 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 21:40:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\zshp1020.exe [1800] 0x8972B1F8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 21:40:51
C:\ComboFix2.txt ... 2007-10-18 11:51
C:\ComboFix3.txt ... 2007-10-18 11:10
.
--- E O F ---

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2007 - 03:20 AM

C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}

C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}

These 2 appear to be install directories for snoopstick which isnt classified as the most friendly app in the world.

Do you recall installing this app?

The other directory is also some sort of install directory I believe and all can be deleted manually if you choose to do so.

#11 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 24 October 2007 - 11:23 AM

Hey, no I don't remember installing those, how do I get rid of them? Thanks!

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2007 - 03:42 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

Folder::
C:\WINDOWS\NV34282792.TMP
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anoo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Touogflx]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log

#13 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 24 October 2007 - 11:42 PM

Thanks for your help, here it is:

ComboFix 07-10-17.8@ - NA 2007-10-25 0:34:17.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1171 [GMT -4:00]
Running from: C:\Program Files\HijackThis\ComboFix.exe
Command switches used :: C:\Program Files\HijackThis\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\instance.dat
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\mia.dll
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.dat
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.exe
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.msi
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.par
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.res
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\setup.bmp
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\instance.dat
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\mia.dll
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\setup.bmp
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.dat
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.exe
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.msi
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.par
C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.res
C:\WINDOWS\NV34282792.TMP
C:\WINDOWS\NV34282792.TMP\nv3d.chm
C:\WINDOWS\NV34282792.TMP\nvcpl.chm
C:\WINDOWS\NV34282792.TMP\nvdsp.chm
C:\WINDOWS\NV34282792.TMP\nvmob.chm

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-18 10:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-12 17:18 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-10-12 17:17 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-10-12 17:17 <DIR> d--h----- C:\Documents and Settings\NA\Application Data\GTek
2007-10-12 17:17 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2007-10-10 12:30 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-08 22:44 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-08 16:32 <DIR> d-------- C:\Garmin
2007-10-08 16:32 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-10-08 16:32 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-10-08 14:12 36 --ah----- C:\WINDOWS\system32\f9t.dat
2007-10-07 18:07 <DIR> d-------- C:\mcafee_mcpr
2007-10-07 18:07 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-07 18:07 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-07 18:07 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-07 18:07 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-07 18:07 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-07 18:07 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-07 18:06 <DIR> d-------- C:\Program Files\McAfee
2007-10-07 18:06 <DIR> d-------- C:\Program Files\Common Files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 16:30 --------- d-----w C:\Program Files\Steam
2007-10-08 18:19 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-10-07 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-07 22:07 --------- d-----w C:\Program Files\mcafee.com
2007-10-07 21:25 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-07 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-19 04:13 --------- d-----w C:\Program Files\CommandBurner
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-12 22:13 --------- d-----w C:\Documents and Settings\NA\Application Data\Bioshock
2007-09-12 16:19 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-10 16:40 --------- d-----w C:\Documents and Settings\NA\Application Data\BestOn
2007-09-10 16:30 --------- d-----w C:\Program Files\BestOn
2007-09-10 16:29 --------- d-----w C:\Program Files\Windows Media Components
2007-09-10 16:29 --------- d-----w C:\Program Files\AIM6
2007-09-10 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-10 16:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-10 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 16:16 --------- d-----w C:\Program Files\Common Files\EZVGACam
2007-09-10 16:16 --------- d-----w C:\Documents and Settings\NA\Application Data\InstallShield
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-27 16:15 25,008 ----a-w C:\Documents and Settings\NA\Application Data\GDIPFONTCACHEV1.DAT
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-18_10.54.54.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 20:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 20:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 20:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-18 02:49]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NA^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=C:\Documents and Settings\NA\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=C:\WINDOWS\pss\AOL OpenRide.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\AOL 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1166909213\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1166909213\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
C:\WINDOWS\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1166909213\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
C:\WINDOWS\tsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 BIOS;BIOS;\??\C:\WINDOWS\System32\drivers\BIOS.sys
R1 BS_I2cIo;BS_I2cIo;\??\C:\WINDOWS\System32\drivers\BS_I2cIo.sys
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys

*Newly Created Service* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 22:07:25 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-07 22:07:22 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 00:38:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 0:39:21 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-23 21:40
C:\ComboFix3.txt ... 2007-10-18 11:51
.
--- E O F ---

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 02:56 AM

OK,lets run a couple of more scans and see how we did.

Try the Panda Total Scan,be sure to save the report at the end and post it back here.
http://www.nanoscan.com/as/v1/principal.aspx

#15 The Lost One

The Lost One
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 30 October 2007 - 03:08 PM

Here it is, I didn't do their disinfect though because you have to sign up and I'm not familiar with it.


;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-10-30 16:04:23
PROTECTIONS: 1
MALWARE: 28
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@trafficmp[2].txt
00145460 Cookie/2o7 TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@2o7[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@tribalfusion[2].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@ccbill[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@www.myaffiliateprogram[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@xiti[1].txt
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@hotlog[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@perf.overture[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@www.burstbeacon[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@ads.pointroll[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@realmedia[2].txt
00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@terra.com[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@questionmarket[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@go[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@target[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@did-it[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\NA\Cookies\na@atwola[1].txt
00285243 Adware/Maxifiles Adware No 1 No No C:\Program Files\support.com\temp\ComcastToolbar.exe[²ÜÇ\nsProcess.dll]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Program Files\HijackThis\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Program Files\HijackThis\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP6\A0006773.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP5\A0005525.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP3\A0002375.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
01311705 Trj/Agent.GMX Virus/Trojan No 0 No No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP1\A0000100.exe[WSu.exe]
02001983 Adware/DnsInsider Adware No 0 No No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP1\A0000100.exe[UE.exe]
02405180 Adware/PurityScan Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\asdxjus.dll.vir
02405180 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP3\A0002318.dll
02405213 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP1\A0000100.exe
02405214 Adware/PurityScan Adware No 0 Yes No C:\qoobox\Quarantine\C\Program Files\Common Files\CROSOF~1\nеtdde.exe.vir
02405214 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{625DCA0F-CBCC-4207-AC62-3E7809DD37AB}\RP3\A0002319.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users