Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Files Generated In Windows\temp


  • Please log in to reply
1 reply to this topic

#1 tzic

tzic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 27 January 2008 - 06:09 AM

Hello, I found this post on your forum that looks very similar to my problem as well. I ve been trying to solve this for 4 days now without results.

The case: I realized that a strange thing happens. Every 5 - 10 minutes my firewall blocks some exe files that try to run in windows\temp folder.

(Firewall Kerio Message: Application is launching other application: Windows Command Processor Launched by 1f6f8ed5.exe)

Their names are like that: 0BF63126.exe, 0E0D1EBB.exe, 0F8793B6.exe, 2A9DC0AD.exe, 2D8EC981.exe, 3C855CFC.exe, 3D2C7DA1.exe, 3F82918B.exe, 4B697C15.exe, 5A24C3D9.exe and the list goes on. These are random numders and letters followed by .exe. They are generated in e:\windows\temp If I delete them, new files keep get generating every 5 - 10 minutes. My firewall Kerio blocks them from executing. Apparently something is generating these files but I cant find what it is. Each file is 296KB. This procedure does not happen in SAFE MODE

I uploaded on of these files to www.virustotal.com for analysis and these were the RESULTS

I read on another forum that this files are generated from hijackthis... But I uninstalled highjackthis and the files keep on coming back...

I also downloaded Deckard's System Scanner, the results are after the hijackthis report


HighJackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:09 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
e:\AppServ\Apache2.2\bin\httpd.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\AppServ\Apache2.2\bin\httpd.exe
E:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
E:\Program Files\Alias\Maya6.5\docs\wrapper.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\AppServ\MySQL\bin\mysqld-nt.exe
E:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
E:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\CyberLink\Shared files\RichVideo.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\SPAMfighter\SFAgent.exe
E:\Program Files\FlashGet\FlashGet.exe
E:\Program Files\ESET\ESET Smart Security\egui.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\Program Files\Rokario\Bandwidth Monitor\bandmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\ewrwers.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
O1 - Hosts: 216.107.242.199 l2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SPAMfighter Agent] "E:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Flashget] E:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [bandmon] E:\Program Files\Rokario\Bandwidth Monitor\bandmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Advanced Email Extractor - res://E:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://E:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://E:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://E:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166461472687
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcaxvw - E:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - e:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - E:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - E:\Program Files\Alias\Maya6.5\docs\wrapper.exe
O23 - Service: mysql - Unknown owner - e:\AppServ\MySQL\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - E:\Program Files\xampp\service.exe (file missing)

--
End of file - 11164 bytes


Deckard's System Scanner, results are:


-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "E:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 fwdrv (Firewall Driver) - e:\windows\system32\drivers\fwdrv.sys <Not Verified; Kerio Technologies; >
R1 khips (Kerio HIPS Driver) - e:\windows\system32\drivers\khips.sys <Not Verified; ; HIPS>
R1 SASDIFSV - e:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - e:\program files\superantispyware\saskutil.sys
R1 SCDEmu - e:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 atksgt - e:\windows\system32\drivers\atksgt.sys
R2 DgiVecp (Team MFP Comm Driver) - e:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
R2 Haspnt - e:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 lirsgt - e:\windows\system32\drivers\lirsgt.sys
R2 npkcrypt - e:\program files\lineage ii\system\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R2 Sentinel - e:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 pcouffin (VSO Software pcouffin) - e:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SASENUM - e:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 ntcdrdrv - e:\windows\system32\drivers\ntcdrdrv.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - e:\windows\system32\drivers\adildr.sys (file missing)
S2 DS1410D - e:\windows\system32\drivers\ds1410d.sys (file missing)
S2 Parclass - e:\windows\system32\drivers\parclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
S3 adiusbaw (USB ADSL WAN Adapter) - e:\windows\system32\drivers\adiusbaw.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 Sntnlusb (Rainbow USB SuperPro) - e:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apache2.2 - "e:\appserv\apache2.2\bin\httpd.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 maya65docserver (Maya 6.5 Documentation Server) - "e:\program files\alias\maya6.5\docs\wrapper.exe" -s "e:\program files\alias\maya6.5\docs\wrapper.conf"
R2 mysql - e:\appserv\mysql\bin\mysqld-nt --defaults-file=e:\appserv\mysql\my.ini mysql

S2 XAMPP (XAMPP Service) - e:\program files\xampp\service.exe (file missing)
S3 NBService - e:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 Apache - "e:\appserv\apache\apache.exe" --ntservice (file missing)
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "e:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-27 11:58:15 420 --ah----- E:\WINDOWS\Tasks\User_Feed_Synchronization-{F2EC396B-2A02-4745-AC91-DFA026331D94}.job


-- Files created between 2007-12-27 and 2008-01-27 -----------------------------

2008-01-27 12:14:02 0 d-------- E:\Program Files\Trend Micro
2008-01-26 23:05:50 25600 --a------ E:\WINDOWS\system32\WS2Fix.exe
2008-01-26 23:05:50 81920 --a------ E:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-01-26 23:05:49 289144 --a------ E:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-01-26 23:05:49 288417 --a------ E:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-01-26 23:05:49 51200 --a------ E:\WINDOWS\system32\dumphive.exe
2008-01-26 23:05:48 53248 --a------ E:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-01-26 21:14:48 0 d-------- E:\Documents and Settings\All Users\Application Data\Innovative Solutions
2008-01-26 21:14:13 0 d-------- E:\Program Files\Innovative Solutions
2008-01-26 10:44:40 0 d-------- E:\Documents and Settings\tzic\Application Data\Grisoft
2008-01-26 10:44:18 0 d-------- E:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-25 19:15:19 0 d-------- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-25 19:15:07 0 d-------- E:\Program Files\SUPERAntiSpyware
2008-01-25 19:15:07 0 d-------- E:\Documents and Settings\tzic\Application Data\SUPERAntiSpyware.com
2008-01-25 19:14:44 0 d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 18:56:45 2522 --a------ E:\WINDOWS\system32\tmp.reg
2008-01-25 18:02:50 0 d-------- E:\toolbars
2008-01-25 17:27:03 352 --ah----- E:\WINDOWS\nod32fixtemdono.reg
2008-01-25 16:37:29 0 d-------- E:\Documents and Settings\tzic\Application Data\ESET
2008-01-25 16:00:15 0 d-------- E:\Program Files\SystemRequirementsLab
2008-01-25 14:53:46 0 d-------- E:\Documents and Settings\tzic\Application Data\Rokario
2008-01-25 14:53:42 0 d-------- E:\Program Files\Rokario
2008-01-25 14:23:22 0 d-------- E:\wamp
2008-01-25 13:35:50 0 d-------- E:\Documents and Settings\tzic\Application Data\MySQL
2008-01-25 00:41:35 0 d-------- E:\Program Files\rapget140
2008-01-24 16:57:52 0 d-------- E:\Documents and Settings\Nick\Application Data\SPAMfighter
2008-01-24 16:57:28 0 d-------- E:\Documents and Settings\Nick\Application Data\Identities
2008-01-24 16:56:46 0 dr------- E:\Documents and Settings\Nick\Favorites
2008-01-24 16:56:46 0 d-------- E:\Documents and Settings\Nick\Desktop
2008-01-24 16:56:46 0 d--hs---- E:\Documents and Settings\Nick\Cookies
2008-01-24 16:56:46 0 dr-h----- E:\Documents and Settings\Nick\Application Data
2008-01-24 16:56:46 0 d---s---- E:\Documents and Settings\Nick\Application Data\Microsoft
2008-01-24 16:56:45 0 d--h----- E:\Documents and Settings\Nick\Templates
2008-01-24 16:56:45 0 dr------- E:\Documents and Settings\Nick\Start Menu
2008-01-24 16:56:45 0 dr-h----- E:\Documents and Settings\Nick\SendTo
2008-01-24 16:56:45 0 dr-h----- E:\Documents and Settings\Nick\Recent
2008-01-24 16:56:45 0 d--h----- E:\Documents and Settings\Nick\PrintHood
2008-01-24 16:56:45 1048576 --ah----- E:\Documents and Settings\Nick\NTUSER.DAT
2008-01-24 16:56:45 0 d--h----- E:\Documents and Settings\Nick\NetHood
2008-01-24 16:56:45 0 dr------- E:\Documents and Settings\Nick\My Documents
2008-01-24 16:56:45 0 d--h----- E:\Documents and Settings\Nick\Local Settings
2008-01-24 16:51:33 0 dr------- E:\Documents and Settings\Administrator\Start Menu
2008-01-24 16:51:33 0 dr-h----- E:\Documents and Settings\Administrator\SendTo
2008-01-24 16:51:33 0 d--h----- E:\Documents and Settings\Administrator\Recent
2008-01-24 16:51:33 0 d--h----- E:\Documents and Settings\Administrator\PrintHood
2008-01-24 16:51:33 0 d--h----- E:\Documents and Settings\Administrator\NetHood
2008-01-24 16:51:33 0 d-------- E:\Documents and Settings\Administrator\My Documents
2008-01-24 16:51:33 0 d-------- E:\Documents and Settings\Administrator\Favorites
2008-01-24 16:51:33 0 d-------- E:\Documents and Settings\Administrator\Desktop
2008-01-24 13:30:58 0 d--h----- E:\WINDOWS\system32\GroupPolicy
2008-01-24 13:25:04 0 d--h----- E:\Documents and Settings\Administrator\Templates
2008-01-24 13:25:04 262144 --ah----- E:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-24 13:25:04 0 d--h----- E:\Documents and Settings\Administrator\Local Settings
2008-01-24 13:25:04 0 d---s---- E:\Documents and Settings\Administrator\Cookies
2008-01-24 13:25:04 0 dr-h----- E:\Documents and Settings\Administrator\Application Data
2008-01-24 13:25:04 0 d---s---- E:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-24 11:50:44 54764 --a------ E:\WINDOWS\system32\jecsst.sys
2008-01-24 11:49:34 0 d-------- E:\WINDOWS\Web Download
2008-01-24 11:43:44 0 d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-01-24 11:36:02 0 d-------- E:\Program Files\TickQuest
2008-01-23 21:33:07 0 d-------- E:\Program Files\FlashGet
2008-01-12 02:23:39 0 d-------- E:\Documents and Settings\All Users\Application Data\TechSmith
2008-01-12 02:23:24 0 d-------- E:\Program Files\Common Files\TechSmith Shared
2008-01-12 02:23:19 0 d-------- E:\Program Files\TechSmith
2008-01-06 19:30:26 519680 --a------ E:\WINDOWS\system32\SS32D25.DLL <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-01-06 19:30:26 28160 --a------ E:\WINDOWS\system32\MetaStockShellExtension.dll <Not Verified; Equis International; MetaStockShellExtension>
2008-01-06 19:30:19 164864 --a------ E:\WINDOWS\system32\patchw32.dll
2008-01-06 19:30:19 626809 --a------ E:\WINDOWS\system32\OLVI80.dll <Not Verified; Equis International; Online Interface Dynamic Link Library>
2008-01-06 19:30:19 3360 --a------ E:\WINDOWS\system32\MSWTHK16.DLL
2008-01-06 19:30:19 188518 --a------ E:\WINDOWS\system32\msfl80.dll <Not Verified; Equis International, Inc.; MetaStock File Library>
2008-01-06 19:30:19 148480 --a------ E:\WINDOWS\system32\dbcapi.dll
2008-01-06 19:30:18 17920 --a------ E:\WINDOWS\system32\MSWTHK32.DLL
2008-01-06 19:30:18 207360 --a------ E:\WINDOWS\system32\LTKRN61N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-01-06 19:30:18 43008 --a------ E:\WINDOWS\system32\LTFIL61N.DLL
2008-01-06 19:30:18 110080 --a------ E:\WINDOWS\system32\Lfpng61n.dll
2008-01-06 19:30:18 158720 --a------ E:\WINDOWS\system32\LFCMP61N.DLL
2008-01-06 19:30:18 17920 --a------ E:\WINDOWS\system32\IMPLODE.DLL
2008-01-06 19:30:18 217196 --a------ E:\WINDOWS\system32\EqNotify.dll <Not Verified; ; EqNotify Dynamic Link Library>
2008-01-06 19:30:14 0 d-------- E:\Program Files\Equis
2008-01-06 19:30:14 0 d-------- E:\Program Files\Common Files\Equis
2008-01-06 19:30:14 0 d-------- E:\My Documents
2008-01-06 19:30:14 0 d-------- E:\MetaStock Data


-- Find3M Report ---------------------------------------------------------------

2008-01-27 12:01:14 0 d-------- E:\Program Files\FlashFXP
2008-01-27 11:27:15 0 --a------ E:\WINDOWS\TempFile
2008-01-25 19:14:44 0 d-------- E:\Program Files\Common Files
2008-01-25 18:01:51 0 d-------- E:\Program Files\Common Files\Autodesk Shared
2008-01-25 09:17:42 0 d-------- E:\Documents and Settings\tzic\Application Data\uTorrent
2008-01-25 00:05:14 0 d-------- E:\Program Files\Google
2008-01-24 23:36:15 0 d-------- E:\Program Files\Internet Download Manager
2008-01-24 23:33:35 0 d-------- E:\Documents and Settings\tzic\Application Data\IDM
2008-01-24 23:32:39 0 d-------- E:\Documents and Settings\tzic\Application Data\DMCache
2008-01-24 16:59:43 1161274 --a------ E:\WINDOWS\system32\win32dlI
2008-01-22 19:48:01 0 d-------- E:\Program Files\eMule
2008-01-22 17:28:01 0 d-------- E:\Documents and Settings\tzic\Application Data\Vso
2008-01-18 10:41:41 0 d-------- E:\Program Files\HyperVRE
2008-01-15 12:13:56 0 d-------- E:\Documents and Settings\tzic\Application Data\Adobe
2008-01-12 12:09:57 0 d-------- E:\Program Files\Java
2008-01-11 14:15:44 0 d-------- E:\Program Files\SPAMfighter
2008-01-10 16:48:40 0 d-------- E:\Documents and Settings\tzic\Application Data\Skype
2007-12-27 00:32:46 0 d--h----- E:\Program Files\InstallShield Installation Information
2007-12-25 03:41:30 0 d-------- E:\Program Files\Orwell
2007-12-23 10:12:18 0 d-------- E:\Program Files\Opera
2007-12-22 00:13:12 0 d-------- E:\Documents and Settings\tzic\Application Data\GetRightToGo
2007-12-19 15:38:52 0 d-------- E:\Program Files\IObit
2007-12-19 14:03:52 0 d-------- E:\Program Files\Common Files\Ankiro
2007-12-19 14:02:13 0 d-------- E:\Program Files\Common Files\Application
2007-12-19 13:56:55 0 d-------- E:\Program Files\Yahoo!
2007-12-19 13:52:45 0 d-------- E:\Program Files\IEForge
2007-12-19 00:17:06 60416 --a------ E:\WINDOWS\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM>
2007-12-19 00:11:55 0 d-------- E:\Documents and Settings\tzic\Application Data\teamspeak2
2007-12-19 00:11:52 0 d-------- E:\Program Files\Teamspeak2_RC2
2007-12-17 12:59:34 0 d-------- E:\Program Files\KeywordsAnalyzer5
2007-12-14 00:00:12 0 d-------- E:\Program Files\ICQ6
2007-12-13 18:24:36 0 d-------- E:\Documents and Settings\tzic\Application Data\dvdcss
2007-12-13 17:43:00 0 d-------- E:\Documents and Settings\tzic\Application Data\vlc
2007-12-07 01:29:36 0 d-------- E:\Program Files\MSXML 6.0
2007-12-05 07:31:07 93890 --a------ E:\WINDOWS\Orwell Uninstaller.exe
2007-12-05 07:31:04 0 d-------- E:\Program Files\Common Files\Thraex Software
2007-12-04 10:31:39 0 d-------- E:\Documents and Settings\tzic\Application Data\AdobeUM
2007-12-03 16:26:07 0 d-------- E:\Program Files\Keyword Elite
2007-12-02 23:02:05 0 d-------- E:\Program Files\Bryxen Software
2007-11-30 19:34:57 0 d-------- E:\Program Files\Lineage II
2007-11-29 15:57:05 0 d-------- E:\Program Files\SEO Elite
2007-10-28 16:52:00 1626112 --a------ E:\WINDOWS\system32\nwiz.exe
2007-10-28 16:52:00 1019904 --a------ E:\WINDOWS\system32\nvwimg.dll
2007-10-28 16:52:00 1703936 --a------ E:\WINDOWS\system32\nvwdmcpl.dll
2007-10-28 16:52:00 466944 --a------ E:\WINDOWS\system32\nvshell.dll
2007-10-28 16:52:00 286720 --a------ E:\WINDOWS\system32\nvnt4cpl.dll
2007-10-28 16:52:00 1478656 --a------ E:\WINDOWS\system32\nview.dll
2007-10-28 16:52:00 1339392 --a------ E:\WINDOWS\system32\nvdspsch.exe
2007-10-28 16:52:00 442368 --a------ E:\WINDOWS\system32\nvappbar.exe
2007-10-28 16:52:00 425984 --a------ E:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [06/18/2004 10:31 AM E:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [10/28/2007 04:52 PM]
"nwiz"="nwiz.exe" [10/28/2007 04:52 PM E:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [07/07/2007 12:03 PM]
"SPAMfighter Agent"="E:\Program Files\SPAMfighter\SFAgent.exe" [01/02/2008 05:03 PM]
"egui"="E:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [10/28/2007 04:52 PM]
"!AVG Anti-Spyware"="E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 11:25 AM]
"MSConfig"="E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [02/28/2006 02:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [04/19/2007 11:49 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [10/09/2006 11:28 AM]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [02/28/2006 02:00 PM]
"swg"="E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/25/2008 12:05 AM]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

E:\Documents and Settings\tzic\Start Menu\Programs\Startup\
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoClose"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaxvw]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
Debugger="C:\DOWNLOADS\PROCESSEXPLORER\PROCEXP.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 E:\WINDOWS\system32\pmkjj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=E:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^FontHit Font Tools.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\FontHit Font Tools.lnk
backup=E:\WINDOWS\pss\FontHit Font Tools.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^tzic^Start Menu^Programs^Startup^Check for TWS Updates.lnk]
path=E:\Documents and Settings\tzic\Start Menu\Programs\Startup\Check for TWS Updates.lnk
backup=E:\WINDOWS\pss\Check for TWS Updates.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
E:\Program Files\Internet Download Manager\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"E:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"E:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9be7ab3d-8eb5-11db-93c9-806d6172696f}]
AutoRun\command- D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c021fb90-86d9-11dc-99af-00110961beb5}]
AutoRun\command- wd_windows_tools\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08C4F64A-B8A0-509D-0005-080003000305}]
E:\WINDOWS\system32\win32dlI.exe



-- Hosts -----------------------------------------------------------------------

216.107.242.199 l2authd.lineage2.com


-- End of Deckard's System Scanner: finished at 2008-01-27 12:42:49 ------------

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 02 February 2008 - 10:09 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users