Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Problem Causing Immediate Closing Of Explorer And Media Player


  • This topic is locked This topic is locked
20 replies to this topic

#1 jdog52

jdog52

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 09 December 2007 - 04:40 PM

My internet explorer and windows media player close just as soon as they have opened. I was infected by spyware, etc... and have scanned several times, but everything seems to be clean. I was deleting some programs that I don't use earlier and a message popped up and said that I should delete my system32 folder. I am computer illiterate and clicked ok. I then emptied my recycle bin. I don't know if it was just part of the folder or the whole thing. I was having the problems with my internet explorer before I did this. Also, when I open my windows folder, there is still a system32 folder. My operating system seems to still be working fine. My computer has rebooted several times. I have tried a file recovery program, however, there is nothing that has been deleted that says anything about system32. I have tried to restore to a previous date, but it won't go back beyond today. I have the original disc that my roommate used to install XP, its says "XP Pro with SP 2," but it is a copied CD...I guess of his own. The code is not valid and I am unable to re-install. I have a C drive and an E drive. I have copied everything that is important to me onto the E drive. I am using my laptop right now as I am unable to use the desktop explorer. I copied a Hijack this log file onto a disc and am posting it here. Any suggestions? I'd really appreciate it. BTW, Itunes still works. I have run all of the anti-viral software recommended and am clean.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:56 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F546CAC59B6
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5115 bytes

BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 26 December 2007 - 08:18 PM

Hi jdog52
Sorry for the delay in answering your post, things are really busy here.
If you still need help could you please post back a new Hjt log.... things change so quickly and we need to see what's happening now.
Please let me know one way or another if you still need help.
Thanks

Starbuck

BBPP6nz.png


#3 jdog52

jdog52
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 27 December 2007 - 01:17 AM

Yes, I do need help...thanks alot. I will post a new hjt log ASAP. Thanks for the help

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 27 December 2007 - 10:44 AM

Hi jdog52

When you post the new Hjt log, could you also confirm if you able to access the internet from your 'Desktop' pc?
or are you having to transfer everything to your laptop for posting here?
Can you also confirm that 're-installing' is Not an option.

Thx

BBPP6nz.png


#5 jdog52

jdog52
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 27 December 2007 - 08:24 PM

I am unable to pull up my explorer or media player still. I reinstalled explorer and the computer was off for about 4 days. When I returned home, the explorer worked for about 2 days. Then, it began messing up just as quickly as before. It won't even begin to open now. I am transferring everything via cd to my laptop. Unfortunately, I will no longer have the laptop after the 30th. Re-installing does not seem to be an option as Microsoft will not accept the OS key that I have written down. I am posting my new HJT log here.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:04 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4910 bytes

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 28 December 2007 - 04:40 AM

Hi jdog52

Thanks for the new log.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Question:
As we haven't much time before the 30th, will you be able to get access to a friends or family members computer if we needed to download anything after this date?

Starbuck

BBPP6nz.png


#7 jdog52

jdog52
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 28 December 2007 - 12:03 PM

Yes, I should be able to get access to someone's computer. Thanks

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 28 December 2007 - 05:34 PM

Hi jdog52

First off, i have to say and point out:

Some browser hijackers and downloaders such as 'W32/Sdbot-ADQ worm and Backdoor.SdBot.xd ' - have been/are active on your computer. It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

As you have said that a re-install is not an option...... we'll procede with the cleaning.

Step 1
Download the following programs to your Laptop:

SDFix and save it to your desktop.
DrWeb-CureIt & save it to your desktop.
Deckard's System Scanner (DSS) to your Desktop.
Once these programs have been downloaded to your laptop .....
you need to transfer these to a cd and then use the cd to install them to the 'Pc Desktop'.
Once transfered.....

Step 2

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

SDFix
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet

    Step 3
    Please reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, a menu with options should appear;
    * Select the first option, to run Windows in Safe Mode, (you will have to use the 'arrow' keys to navigate on this window) then press "Enter".
    * Choose your usual account.

    Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


Step 4
Reboot back into Safe Mode using the previous instructions.
Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Step 5
Deckard's System Scanner
1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, it will create two text files - main.txt <- this one will be maximized and extra.txt <-this one will be minimized on your Taskbar.
4. Copy/paste both logs back here please (they will also be located at C:\Deckard\System Scanner).

Make sure you notice the extra.txt second log that will show as minimized on your Task Bar, "Maximize" that and be sure to paste those contents here as well.

In your next reply, please post:
SDFix report.
Dr Web report
Both DSS logs.

Also please let me know how things are running now and if Internet Explorer is working again?

Thx

BBPP6nz.png


#9 jdog52

jdog52
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 28 December 2007 - 11:31 PM

The Drweb did not save properly. But, I ran another scan and no infections showed up. The explorer is working now as well. I will post the other logs below.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:30 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\KernelDrv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5379 bytes

SDFix:


SDFix: Version 1.120

Run by Justin Rice on Fri 12/28/2007 at 05:09 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\JUSTIN~1\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
lanmandrv
NtmlSvc
terms

Path:
\??\C:\WINDOWS\System32\lanmandrv.sys
%SystemRoot%\System32\svchost.exe -k netsvcs
"C:\WINDOWS\system32\terminals.exe"

lanmandrv - Deleted
NtmlSvc - Deleted
terms - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - Deleted
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
C:\xz.bat - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\WINDOWS\system32\lanmandrv.sys - Deleted
C:\WINDOWS\system32\lanmanwrk.exe - Deleted
C:\WINDOWS\system32\qmopt.dll - Deleted
C:\WINDOWS\system32\sahagent1003.exe - Deleted
C:\WINDOWS\Temp\$_2341233.TMP - Deleted
C:\WINDOWS\Temp\$_2341234.TMP - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted



Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 17:20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Justin Rice\Local Settings\Temporary Internet Files\Content.IE5\4Z3RE4TH\search[1].: 25079 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"="C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe:*:Enabled:Rio Music Manager"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\JUSTIN~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 23 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 1,028,096 A.SH. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 54,784 A.SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Wed 4 Aug 2004 553,472 ..SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Wed 4 Aug 2004 83,456 A.SH. --- "C:\WINDOWS\system32\olepro32.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Thu 23 May 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Thu 23 May 2002 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Mon 8 Mar 2004 25,088 A..H. --- "C:\Documents and Settings\Justin Rice\My Documents\~WRL0805.tmp"
Thu 23 May 2002 4,348 ...H. --- "C:\Documents and Settings\Justin Rice\My Documents\My Music\License Backup\drmv1key.bak"
Mon 4 Jun 2007 401 A..H. --- "C:\Documents and Settings\Justin Rice\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 10 Mar 2007 488 A.SH. --- "C:\Documents and Settings\Justin Rice\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

Deckards:

Deckard's System Scanner v20071014.68
Run by Justin Rice on 2007-12-28 21:15:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2007-12-29 03:15:19 UTC - RP536 - Deckard's System Scanner Restore Point
25: 2007-12-28 01:52:57 UTC - RP535 - Software Distribution Service 2.0
24: 2007-12-28 01:52:21 UTC - RP534 - Installed Windows Internet Explorer 7.
23: 2007-12-28 01:51:36 UTC - RP533 - Installed Windows IDNMitigationAPIs.
22: 2007-12-28 01:51:04 UTC - RP532 - Installed Windows NLSDownlevelMapping.


-- First Restore Point --
1: 2007-12-09 00:38:05 UTC - RP511 - Restore Operation


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).


-- HijackThis (run as Justin Rice.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:08 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\KernelDrv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Justin Rice\Desktop\dss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Justin Rice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5297 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>

S3 BCM43XX (Wireless-G PCI Adapter Driver) - c:\windows\system32\drivers\wmpci54g.sys <Not Verified; Linksys Corporation; Instant Wireless-G PCI Adapter>
S3 catchme - c:\docume~1\justin~1\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S4 RioMSC (Rio MSC Manager) - c:\windows\system32\riomsc.exe <Not Verified; Digital Networks North America, Inc.; Rio Mass Storage Class Device Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-28 21:14:25 274 --a------ C:\WINDOWS\Tasks\Windows Defender.job
2007-12-28 21:14:25 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-12-20 09:39:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-28 17:47:34 0 d-------- C:\Documents and Settings\Justin Rice\DoctorWeb
2007-12-28 17:08:31 0 d-------- C:\WINDOWS\ERUNT
2007-12-27 19:08:00 14336 --a------ C:\WINDOWS\system32\90665.exe
2007-12-09 13:16:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-09 13:16:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-09 13:08:55 0 d-------- C:\Program Files\Trend Micro
2007-12-08 19:33:17 0 d-------- C:\WINDOWS\network diagnostic
2007-12-08 18:35:57 0 d-------- C:\Program Files\Common Files\Nikon
2007-12-08 17:22:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(3)
2007-12-08 15:59:54 0 d-------- C:\WINDOWS\system32\msmq
2007-12-08 15:59:52 0 d-------- C:\Inetpub
2007-11-30 01:07:16 0 d-------- C:\Program Files\iPod
2007-11-30 01:06:43 0 d-------- C:\Program Files\iTunes
2007-11-29 21:45:37 0 d-------- C:\Program Files\Windows Defender


-- Find3M Report ---------------------------------------------------------------

2007-12-28 21:15:02 12288 --a------ C:\WINDOWS\system32\Dll.dll
2007-12-28 21:14:44 266088 --a------ C:\WINDOWS\system32\ksvcl.dll
2007-12-28 21:14:27 26258 --a------ C:\WINDOWS\system32\kcopt.dll
2007-12-28 12:50:58 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-09 13:16:51 0 d-------- C:\Program Files\Lavasoft
2007-12-09 13:16:08 0 d-a------ C:\Program Files\Common Files
2007-12-08 23:17:22 0 d-------- C:\Program Files\hijack this
2007-12-08 18:36:26 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2007-12-08 18:35:57 0 d-------- C:\Program Files\Winamp
2007-12-08 18:35:49 0 d-------- C:\Program Files\Windows NT
2007-12-08 18:34:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-06 22:24:09 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-01 17:13:34 0 d-------- C:\Program Files\LimeWire
2007-12-01 17:12:52 0 d-------- C:\Program Files\Java
2007-11-30 01:00:08 0 d-------- C:\Program Files\QuickTime
2007-11-29 16:29:07 0 d-------- C:\Program Files\QdrDrive
2007-11-26 21:56:30 0 d-------- C:\Documents and Settings\Justin Rice\Application Data\MySpace
2007-11-26 21:56:24 0 d-------- C:\Program Files\MySpace
2007-11-25 02:49:53 37376 --a------ C:\WINDOWS\system32\KernelDrv.exe
2007-11-25 02:49:53 37376 --a------ C:\WINDOWS\system32\96312.exe
2007-11-24 22:59:40 0 d-------- C:\Program Files\Real
2007-11-24 22:54:35 0 d-------- C:\Documents and Settings\Justin Rice\Application Data\Lavasoft
2007-11-24 22:54:24 0 d-------- C:\Program Files\Lavasoft Ad-Aware
2007-11-13 20:59:31 0 d-------- C:\Program Files\Support.com
2007-10-28 13:25:18 0 d-------- C:\Documents and Settings\Justin Rice\Application Data\Move Networks
2007-09-29 11:55:44 335 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"strtas"="lock1.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [11/25/2007 02:49 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2007 11:43 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2007 11:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2007-12-28 21:17:49 ------------


Deckards (2);

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1700MHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 383.01 MiB / 102.87 MiB
Pagefile Memory (total/avail): 536.29 MiB / 299 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.32 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 3.11 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 74.53 GiB total, 38.52 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD200BB-75CLB0 - 18.65 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.64 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD800JB-00CRA1 - 74.53 GiB - 1 partition
\PARTITION0 - Installable File System - 74.53 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"="C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe:*:Enabled:Rio Music Manager"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Justin Rice\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JUSTIN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Justin Rice
LOGONSERVER=\\JUSTIN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp
USERDOMAIN=JUSTIN
USERNAME=Justin Rice
USERPROFILE=C:\Documents and Settings\Justin Rice
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HelpAssistant
Justin Rice (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{DEBEA68F-45AA-4707-A9A7-DBD6DB4FBE89}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Easy CD Creator 5 Platinum --> MsiExec.exe /I{8851E12C-0EF9-11D4-A788-009027ABA5D0}
Form Viewer --> MsiExec.exe /X{873D68B3-EDE5-4DFD-85AC-FFC430FB7EE2}
Guide to Passing the PSI Real Estate Exam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2600418D-EAE6-49E1-B789-91E6AB046780}\setup.exe" -l0x9
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
hp psc 700 series --> C:\WINDOWS\System32\hpocon09.exe /u 1031112998 /d "hp psc 700 series"
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam --> MsiExec.exe /I{0496D9E9-224B-4AFA-8F37-23B98D52F1EB}
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! for Windows XP --> MsiExec.exe /I{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Justin Rice\Application Data\Move Networks\ie_bin\Uninst.exe
MS Access 97 SP2 --> C:\Program Files\Microsoft Office\setup\setup.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nikon View 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}\setup.exe" UNINSTALL
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
Rio Internet Update --> MsiExec.exe /X{493F2531-C2E5-4B73-8B11-66E9CFDA9AFA}
Rio Music Manager --> MsiExec.exe /X{282EF7E3-AE54-48AE-A11D-27F512F23AB3}
Rio Taxi --> MsiExec.exe /X{434C733C-27FA-423E-8CDC-F72B55631BA5}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Visioneer 6100 USB Scanner Driver --> C:\WINDOWS\twain_32\paprport\6100USB\UNWISE.EXE C:\WINDOWS\twain_32\paprport\6100USB\INSTALL.LOG
Visioneer PaperPort 6.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Visioneer\PaperPort\Config\DeIsL1.isu" -y -c"C:\Program Files\Visioneer\PaperPort\UnInstl2.dll"
Wal-Mart Digital Photo Manager --> MsiExec.exe /X{5ABB5D02-BBAA-41D4-BDED-A52DB89A2D2F}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
ZipForm Desktop --> C:\PROGRA~1\ZIPFOR~1\UNWISE.EXE C:\PROGRA~1\ZIPFOR~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type19678 / Warning
Event Submitted/Written: 12/28/2007 09:14:34 PM
Event ID/Source: 22 / Norton AntiVirus
Event Description:
Norton AntiVirus Realtime Protection failed to load.

Event Record #/Type19675 / Warning
Event Submitted/Written: 12/28/2007 05:45:10 PM
Event ID/Source: 22 / Norton AntiVirus
Event Description:
Norton AntiVirus Realtime Protection failed to load.

Event Record #/Type19671 / Warning
Event Submitted/Written: 12/28/2007 05:43:51 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type19667 / Warning
Event Submitted/Written: 12/28/2007 05:19:00 PM
Event ID/Source: 22 / Norton AntiVirus
Event Description:
Norton AntiVirus Realtime Protection failed to load.

Event Record #/Type19664 / Warning
Event Submitted/Written: 12/28/2007 05:05:11 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17715 / Warning
Event Submitted/Written: 12/28/2007 09:17:24 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JUSTIN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JUSTIN27 can't undo changes that you allow.

For more information please see the following:
%JUSTIN275

Scan ID: {68F6F9D3-8B6F-4249-8783-B28D06A757B0}

User: JUSTIN\Justin Rice

Name: %JUSTIN271

ID: %JUSTIN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JUSTIN276

Alert Type: %JUSTIN278

Detection Type: 1.1.1593.02

Event Record #/Type17714 / Warning
Event Submitted/Written: 12/28/2007 09:17:24 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JUSTIN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JUSTIN27 can't undo changes that you allow.

For more information please see the following:
%JUSTIN275

Scan ID: {FF4D8817-79AA-4A19-8AE6-8DBD7E00E4D4}

User: JUSTIN\Justin Rice

Name: %JUSTIN271

ID: %JUSTIN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JUSTIN276

Alert Type: %JUSTIN278

Detection Type: 1.1.1593.02

Event Record #/Type17713 / Warning
Event Submitted/Written: 12/28/2007 09:17:24 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JUSTIN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JUSTIN27 can't undo changes that you allow.

For more information please see the following:
%JUSTIN275

Scan ID: {63D7F889-439C-4272-9247-E22416A510B8}

User: JUSTIN\Justin Rice

Name: %JUSTIN271

ID: %JUSTIN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JUSTIN276

Alert Type: %JUSTIN278

Detection Type: 1.1.1593.02

Event Record #/Type17712 / Warning
Event Submitted/Written: 12/28/2007 09:17:21 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JUSTIN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JUSTIN27 can't undo changes that you allow.

For more information please see the following:
%JUSTIN275

Scan ID: {7EB113F2-6691-4588-8D44-45E646519169}

User: JUSTIN\Justin Rice

Name: %JUSTIN271

ID: %JUSTIN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JUSTIN276

Alert Type: %JUSTIN278

Detection Type: 1.1.1593.02

Event Record #/Type17711 / Warning
Event Submitted/Written: 12/28/2007 09:17:21 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JUSTIN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JUSTIN27 can't undo changes that you allow.

For more information please see the following:
%JUSTIN275

Scan ID: {1FB15F08-60B7-4EA3-BEF7-3EB1393DDB58}

User: JUSTIN\Justin Rice

Name: %JUSTIN271

ID: %JUSTIN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JUSTIN276

Alert Type: %JUSTIN278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2007-12-28 21:17:49 ------------



I don't think that I saved these files correctly. I tried to save them directly to disc rather than on desktop as recommended. The deckards folder has a few logfiles. I posted the deckard1.txt and deckard2.txt files above. However, there are also extra.txt, main.txt, and moved.txt. And like I said, there is no DRWeb logfile saved. However, I ran another scan and it came up clean. I can redo this entire process if you think I should. Everything seems to be running better though. Thanks for your help thus far and just let me know what else I need to do.

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 31 December 2007 - 12:27 PM

Hi jdog52

The explorer is working now as well.

That's good.... well done.
So now we should be able to work directly with the infected computer.

The DSS report and Hjt log are showing that we still have a bit of work to do.
The reports are showing that your Norton AV isn't running. (probably due to the SDBots stopping it)

Step 1
I would recommend that you uninstall:
Norton AntiVirus Corporate Edition
using the add or remove feature from Control Panel
and then do a fresh re-install to get it up and running again.
Once installed.... update the definitions and run a full scan in Safe Mode.
Let it quaranteen or remove anything it finds.

Whilst in the add or remove, these can also go:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.0_01
Java™ 6 Update 2

These are all old versions and are not needed as you have the newer version:
Java™ 6 Update 3 ( keep this version)
You will need to reboot your pc once you have removed the old versions of Java.

Optional
You also have a program installed called:
Viewpoint Manager
This program is used to update the Viewpoint Media Player. This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.
It's entirely up to you if you want to uninstall it.

Step 2
Please download ComboFix
and save it to your 'Desktop'.

**Note: It is important that it is saved directly to your desktop**

Now:
Close any open browsers and programs.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. This may cause it to stall

In your next reply, please post:
ComboFix report
and a new Hjt log.

Thx

BBPP6nz.png


#11 jdog52

jdog52
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 04 January 2008 - 07:56 PM

I will do so as soon as I can. I just moved and don't have anything set up and don't have another computer to transfer the programs from. However, I will do it as soon. It may be a few days or a week. Will you still be available??

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 05 January 2008 - 05:12 AM

Hi jdog52
No problem at all.
Just follow the instructions in my last post whenever you are ready.
Hope the move went well.

Speak again soon.

BBPP6nz.png


#13 jdog52

jdog52
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 30 March 2008 - 07:46 PM

It's been awhile, but I have internet and everything now and would like to finish repairing my computer if you still want to help. I have done as you said in your last reply and you will find the logs following:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:34 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5715 bytes


ComboFix 08-03-30.2 - Justin Rice 2008-03-30 15:05:06.1 - NTFSx86
Running from: C:\Documents and Settings\Justin Rice\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWay
C:\Program Files\QdrDrive
C:\WINDOWS\system32\ksvcl.dll
C:\WINDOWS\system32\nostalgia.dll
C:\WINDOWS\system32\SHAgent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 14:49 . 2008-03-30 14:49 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-30 12:19 . 2008-03-30 12:16 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-03-30 12:19 . 2008-03-30 12:16 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-30 12:19 . 2008-03-30 12:16 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-30 12:18 . 2008-03-30 12:18 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-03-30 12:18 . 2008-03-30 12:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-30 11:56 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-08 17:30 . 2008-03-08 17:31 <DIR> d-------- C:\Program Files\iTunes
2008-03-08 17:30 . 2008-03-08 17:30 <DIR> d-------- C:\Program Files\iPod
2008-03-08 17:26 . 2008-03-08 17:26 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:19 --------- d-----w C:\Program Files\Symantec
2008-03-30 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-30 17:58 --------- d-----w C:\Program Files\Viewpoint
2008-03-30 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-30 17:57 --------- d-----w C:\Program Files\Java
2008-03-30 17:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 00:21 --------- d-----w C:\Program Files\Winamp
2008-03-08 23:25 --------- d-----w C:\Program Files\QuickTime
2007-12-09 18:52 812,344 ----a-w C:\Program Files\HJTInstall.exe
2007-12-09 18:51 21,216,112 ----a-w C:\Program Files\aaw2007.exe
2007-06-28 02:15 631,496 ----a-w C:\Program Files\ampx_2_6_1_11_en.exe
2007-04-30 03:57 19,000 -c--a-w C:\Documents and Settings\Justin Rice\Application Data\GDIPFONTCACHEV1.DAT
2006-09-26 04:14 11,877,376 ----a-w C:\Program Files\formviewer_setupv3.2.7.msi
2005-11-29 00:36 894,976 ----a-w C:\Program Files\iview397.exe
2005-11-21 22:02 353,381 ----a-w C:\Program Files\LimeWireWin.exe
2004-12-21 04:17 198,217 ----a-w C:\Program Files\hijackthis.zip
2004-05-31 01:11 204,013 ----a-w C:\Program Files\hjtlog.exe
2004-04-12 18:40 10,135,688 ----a-w C:\Program Files\MPSetupXP.exe
2004-03-23 03:16 770,048 ----a-w C:\Program Files\winmx331.exe
2003-09-27 20:43 792,968 ----a-w C:\Program Files\InstallMusicnotesPlayer.exe
2003-01-18 19:36 3,428,903 ----a-w C:\Program Files\DivXPro502GAINBundle.exe
2002-11-27 05:49 394,864 ----a-w C:\Program Files\PlusServicePack_01.exe
2002-11-04 04:25 827,392 ----a-w C:\Program Files\iview375.exe
2002-05-11 03:39 2,019,682 ----a-w C:\Program Files\winamp280_full.exe
2002-04-19 19:10 18,608,854 ----a-w C:\Program Files\ecdc_v5.1_plt.exe
2002-04-18 06:27 136,464 ----a-w C:\Program Files\kmd.exe
2002-04-18 05:24 2,688,104 ----a-w C:\Program Files\aim95.exe
2002-04-18 05:13 1,930,124 ----a-w C:\Program Files\winamp279_full.exe
2001-08-23 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"strtas"="lock1.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--------- 2004-06-01 10:09 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--------- 2004-06-01 10:03 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2004-05-21 18:11 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 11:14 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-10-03 22:10]
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2005-01-24 19:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 15:39:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-30 21:13:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-30 21:10:42 C:\WINDOWS\Tasks\Windows Defender.job"
- C:\PROGRA~1\WINDOW~4\MSASCui.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 15:20:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-30 15:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 21:24:21
Pre-Run: 3,480,137,728 bytes free
Post-Run: 3,404,316,672 bytes free

Thanks...

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 31 March 2008 - 02:44 PM

Hi jdog52

It's good to see you back.

and would like to finish repairing my computer if you still want to help

No problem at all.
Give me some time to go through these reports and i'll get back to you.

BBPP6nz.png


#15 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:53 PM

Posted 03 April 2008 - 06:08 AM

Hi jdog52

There is one thing i have to point out before we start...

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


If you missed the instructions for installing the 'Recovery Console' in the ComboFix instructions... can you please read them again and install the 'Recovery Console' as mentioned.
This is a safe guard we hope we never need.... but it's best to be safe than sorry.

Step 1
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step 2
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Reboot your computer to complete the process.

Step 3
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\vpc32.INI
C:\Program Files\kmd.exe

Folder::
C:\Program Files\WinAble

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 4
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please sumbit:
New ComboFix.txt
Kaspersky Scan results
and a new Hjt log.

Thanks.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users