Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

P2p Worm


  • This topic is locked This topic is locked
18 replies to this topic

#1 ShrOomiN

ShrOomiN

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 17 April 2008 - 12:15 PM

So this must be a p2p infection, I hope you guys donít immediately assume Iím a criminal, I only download legal and unclaimed stuff, and it makes sharing legal files, some even my own easier with my friends. So letís begin, I thought something was up when I noticed in two of my p2p programs that happened to share the same network, I kept getting a couple gigabytes worth of warez in my receiving folder. I deleted it all and it came back, so something I thought was definitely wrong. I removed both programs and havenít reinstalled them since. It was shareaza & emule that I had. Everything was fine and I thought okay, I should do some maintenance, so I used spyware terminator, avast, spy bot search and destroy, ad-aware, c-cleaner, and privacy mantra. Not to mention I did some personally browsing and made sure I removed unneeded programs, checked my processes and the works. I thought it would work, but avast told me I had rookits, oneís it couldnít get ride of. So like 3-4 days from scanning everything cause I was lazy and irresponsible and didnít come to you guys fast enough, something else happened. I suspect it was the rootkits, but my computer became extremely slow upon start up. I had to wait like a good 20 minutes before I could comfortably use it after booting up and even logging in. So finally when I got the time, and when my computer was running smoothly after the slow boot up, I got a log from avast and deleted the rootkits using Sophos Anti-Rootkit. Which pretty much bought me here, because my computer still has this booting up problem, so I think I still have some more things to worry about. I canít get any more clues out of anything lately, so I think thereís nothing else left for me but the experts. One thing though, I hope it's not much of a problem, but for some reason I couldn't get the second .txt file Deckard's System Scanner is suppose to give you, the one called "extra.txt". I did get one the first time I ran deckard but I forgot to run kapersky first so i deleted that, but ever since i can't get a second extra.txt file. I even "reinstalled" deckard, and looked in the file folder it leaves in the c-drive, but I can't find that file. And my kapersky log is in the attachment.

Well if you need to know anything else, my computer is running Windows XP SP2, an AMD Athlon 64 4000+ @ 2.59 GHz, it has 1.50gb of ram (512mb added like a month ago), and it is Gateway MX7515 if anything else needs to be known.

Thanks a lot everyone it's great what you're doing here.

--------------------------
Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-17 12:59:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:39 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\Owner\Application Data\Alwil\aswUpdSv.exe
C:\Documents and Settings\Owner\Application Data\Alwil\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\Owner\Sony 2\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Documents and Settings\Owner\Application Data\Sunbelt\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\Owner\Application Data\Alwil\ashMaiSv.exe
C:\Documents and Settings\Owner\Application Data\Alwil\ashWebSv.exe
C:\Documents and Settings\Owner\Application Data\Sunbelt\kpf4gui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\DOCUME~1\Owner\APPLIC~1\Alwil\ashDisp.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Documents and Settings\Owner\Application Data\Sunbelt\kpf4gui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Owner\Application Data\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\APPLIC~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avast!] C:\DOCUME~1\Owner\APPLIC~1\Alwil\ashDisp.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Documents and Settings\Owner\Application Data\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA59FCBA-94A6-440E-8DBE-50A313104836}: NameServer = 192.168.0.1,4.2.2.2
O20 - Winlogon Notify: voicesub32 - voicesub32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Documents and Settings\Owner\Application Data\Sunbelt\kpf4ss.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7793 bytes

-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 12:57:31 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-17 00:59:04 0 d-------- C:\WINDOWS\LastGood
2008-04-17 00:00:55 18816 -----n--- C:\WINDOWS\system32\SAVRKBootTasks.sys <Not Verified; Sophos Plc; Sophos Anti-Rootkit>
2008-04-16 23:33:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Sophos Anti-Rootkit
2008-04-15 10:41:47 0 d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2008-04-15 07:53:36 0 d-------- C:\Documents and Settings\Owner\Application Data\XDCC Browser
2008-04-15 07:18:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Hijack This
2008-04-11 20:06:46 0 d-------- C:\ed65496c7e16be380da7c45bd621
2008-04-04 12:17:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Ashampoo
2008-04-04 12:16:05 0 d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2008-04-04 12:15:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Ashampoo Burning Studio 7
2008-04-04 11:36:15 0 d-------- C:\Program Files\NeroInstall.bak
2008-03-31 07:59:27 0 d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-03-31 07:57:42 0 d-------- C:\Documents and Settings\Owner\deluge
2008-03-31 07:55:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Deluge
2008-03-31 01:29:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-03-30 23:42:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Super DVD Creator 9.5
2008-03-28 21:35:31 37888 --a------ C:\WINDOWS\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoftģ Windows ģ 2000 Operating System>
2008-03-28 21:35:21 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-04-17 12:58:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla Firefox
2008-04-16 10:28:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 23:46:42 0 d-------- C:\Documents and Settings\Owner\Application Data\PeerGuardian2
2008-04-15 06:29:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Steam
2008-04-14 09:31:22 0 d-------- C:\Program Files\Spyware Terminator
2008-04-11 13:53:44 0 d-------- C:\Program Files\AIM6
2008-04-06 10:31:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-04-04 12:00:22 0 d-------- C:\Program Files\Common Files\Nero
2008-04-04 01:10:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-04-03 11:50:55 0 d-------- C:\Documents and Settings\Owner\Application Data\ABC Amber LIT Converter
2008-04-02 11:53:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Alwil
2008-03-13 00:23:40 14 --a------ C:\WINDOWS\popcinfo.dat
2008-03-10 01:59:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Spybot - Search & Destroy
2008-03-10 01:59:01 2550 --a------ C:\WINDOWS\unins000.dat
2008-03-10 01:53:47 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-08 18:53:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Prime 95
2008-02-24 13:48:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Sunbelt
2008-01-27 20:38:06 4096 --a------ C:\WINDOWS\system32\crash


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/15/2005 01:05 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 01:47 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 01:47 PM]
"@"="" []
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [05/26/2004 09:57 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"avast!"="C:\DOCUME~1\Owner\APPLIC~1\Alwil\ashDisp.exe" [03/29/2008 02:37 PM]
"NBKeyScan"="C:\Documents and Settings\Owner\Application Data\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [03/09/2008 07:22 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 PM]
"Steam"="" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2/22/2007 4:38:45 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Windows Security Tool"=WinSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\voicesub32]
voicesub32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\autorun.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6aba70c-c2b8-11db-aa22-806d6172696f}]
AutoRun\command- E:\AutoRunMorrowind.exe
install\command- E:\Setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- End of Deckard's System Scanner: finished at 2008-04-17 13:01:12 ------------

Attached Files


Edited by ShrOomiN, 17 April 2008 - 12:28 PM.


BC AdBot (Login to Remove)

 


#2 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 29 April 2008 - 06:05 AM

Hello ShrOomiN,

I am currently studying your log and will be back to you as soon as possible. Thank you for your patience.

Sorry about the delay,
Anna
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#3 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 29 April 2008 - 03:25 PM

No prob, I was stupid enough to do be so neglectful anyway, so thank you.

#4 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 05 May 2008 - 06:19 AM

Hello ShrOomiN,

I apoligise for the delay :blink:

You mention that you use peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office." I suggest therefore not using such programs, especially since you being infected was caused by the use of p2p programs :thumbsup:

1. Please download FixWareout from one of these mirrors:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

2. Download RootAlyzer to your desktop.
  • Unzip it to a folder on your desktop, close all windows, and run RootAlyzer.exe
  • Click Ok to the two prompts and let the program run it's Quick Scan automatically, this should only take a few seconds
  • Click the Deep Scan tab, check all the boxes and click Ok. Let the scan run un-interrupted, it will take a few minutes.
  • When it is finished scanning, a Log tab will appear at the top, click that. Highlight all the text, right-click on it and press Copy.
  • Paste that information back here by pressing Ctrl + V, or right-click and press Paste. Also mention if you had any problems.
3. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O20 - Winlogon Notify: voicesub32 - voicesub32.dll (file missing)


4. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

5. Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\WinSecure.exe
    C:\ed65496c7e16be380da7c45bd621
    C:\WINDOWS\system32\rar.exe 
    C:\WINDOWS\popcinfo.dat
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

6. Click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

7. Please then reply to this thread and include the following logs:
  • The FixWareout log
  • The OtmoveIt log
  • Both the main.txt and extra.txt DSS logs

Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#5 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 05 May 2008 - 11:07 PM

Awesome! Thanks a lot :thumbsup:, I've done everything you asked and here's the goods. First thing up is the results of the RootAlyzer scan. I attached the logs for Deckards, OTMoveIt, and Fix Wareout, so you don't get all cluttered and confused in this post. Oh and another thanks for telling me how to get the extra .log on Deckards, that caused me a lot of trouble before.

-------------------------------------------------------------
I didn't log the results correctly at first, below are the results for the quick scan

File:"<$FILE_EXE>","C:\WINDOWS\system32\$FSPINI$.DAT"
File:"<$FILE_EXE>","C:\WINDOWS\system32\FLOCKER.ACL"
File:"<$FILE_EXE>","C:\WINDOWS\system32\Flocker.USR"


----------------------------------------------
These are the results for the Deep Scan
----------------------------------------------

// info: Rootkit removal help file
// copyright: © 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\$FSPINI$.DAT"
File:"Hidden file","C:\WINDOWS\system32\FLOCKER.ACL"
File:"Hidden file","C:\WINDOWS\system32\Flocker.USR"
File:"Invisible to Win32","C:\WINDOWS\system32\$FSPINI$.DAT"
File:"Invisible to Win32","C:\WINDOWS\system32\FLOCKER.ACL"
File:"Invisible to Win32","C:\WINDOWS\system32\Flocker.USR"
File:"Unknown ADS","C:\WINDOWS\Cursors\arrow_n.cur:NEDTA.DAT:$DATA"
File:"No admin in ACL","C:\Program Files\Crawler\ctbcomm.dll.pin"
File:"No admin in ACL","C:\Program Files\Crawler\ctbr.dll.pin"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Back To School (Mini Maggit).flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Bittersweet (Live).flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Bittersweet.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Boys Republic (Live & Acoustic).flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Change (In The House Of Flies).flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Knife Party (Live & Acoustic).flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Parabol & Parabola.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Schism.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Music Videos\Vicarious.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Funny Clips\Bittersweet (Speeded Up).flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Funny Clips\FPS Doug, Episode 3.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Funny Clips\J1 - The Juggernaut bleep.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Funny Clips\Power Rangers, Gangster Crizzab.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Funny Clips\Super Juggernaut bleep.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\My Documents\My Videos\Videos\Funny Clips\Trivium Interpretation.flv:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Application Data\Winamp\Playlist\Playlist 1.m3u:DocumentSummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Application Data\Winamp\Playlist\Playlist 1.m3u:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Application Data\Winamp\Playlist\Playlist 2.m3u:DocumentSummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Application Data\Winamp\Playlist\Playlist 2.m3u:SummaryInformation:$DATA"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Nero\Nero8\OnlineServices\usagestats.bin"
Directory:"No admin in ACL","C:\System Volume Information"
Directory:"No admin in ACL","C:\Program Files\Crawler"
Directory:"No admin in ACL","C:\Program Files\Spyware Terminator"
Directory:"No admin in ACL","C:\Program Files\Spyware Terminator\help"
Directory:"No admin in ACL","C:\Documents and Settings\Owner\Application Data\Spyware Terminator"
Directory:"Invisible to Win32","C:\Documents and Settings\Owner\Application Data\Y0YS Software\Unlocking Folder Security Personal 4.10.312"
Directory:"Invisible to Win32","C:\Documents and Settings\Owner\Application Data\Y0YS Software\Folder Security Personal 4.10.312\My Locked Folder 1"
Directory:"Invisible to Win32","C:\Documents and Settings\Owner\Application Data\Y0YS Software\Folder Security Personal 4.10.312\My Locked Folder 2"
Directory:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Spyware Terminator"
Directory:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\TEMP:A73B0434:$DATA"

Attached Files



#6 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 06 May 2008 - 12:10 AM

Allow me to just say, I don't think this this is working, after doing some of the things in your reply. My computer was still showing it's usual symptoms. I figured I would take it for a test drive, and restart it and just use it at me leisure, but it was still acting up. The same old thing happened, extremely slow boot, up that for some reason I could only cure, by pressing ctrl/alt/delete and opening windows firefox. I'm still not sure why that works, but for some reason it's cures my slow boot up, but I wish I didn't have to do that every time I start the computer up because if I don't it just freezes. Do what you gotta though, and we'll see if you find anything that slaps my little problem into the past.

#7 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 07 May 2008 - 01:41 AM

Hello ShrOomiN,

I don't think this this is working, after doing some of the things in your reply

It will take a while for your computer to be clean, assuming that your problems are malware related :thumbsup:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
For more information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#8 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 09 May 2008 - 12:12 PM

Done deal, I've attached the combofix log, and hjt log.

Attached Files



#9 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 12 May 2008 - 04:06 AM

Hello ShrOomiN,

I got a log from avast and deleted the rootkits using Sophos Anti-Rootkit.

Please tell me what you deleted.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Please then do the following:

1. Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/list]
2. Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.
More information with a screenshot, can be found here.

Then,

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::
C:\DOCUME~1\Owner\LOCALS~1\Temp\ASFWHide

Registry::
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ASFWHide]
"ImagePath"=-

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Remember to post the HijackThis startup log here in a reply along with the ComboFix log. Also, please let me know of any problems you may have encountered.
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#10 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 13 May 2008 - 11:01 AM

Um make of this what you can, but I tried to run the combofix script, and then my computer gave me a blue screen with telling me about a driver error, and that will dump my physical memory. That's happened before something I didn't fix when I should of. Anyway I was able to get as far as getting the new HJT log, so I'll attach that. As for the combo fix log, that damnable blue screen interrupted the process of it, I even checked in the combofix folder in my C drive and I couldn't find it. I found a log, but I can't tell if it is the right one, I checked the date but the problem is by accident I already ran another combofix scan, around the same time I did the one with the code you gave me. So I can't tell which scan it came from. Lastly all the rootkits that avast detected for me will be attached as well, under the name rootkits form log. They were actually attached with the same name, on my first post as well, in case it doesn't work out with this one. And very lastly I would try and do another combofix scan for you, but I'm afraid of my computer blue screening me again, I don't want to hurt the thing, and I don't know what may happen next time I try a combofix scan.

One a side note, I'm going to do a system recover, hard-drive less or not. But before I do I'm going to make a post and see if there is way to hide all of my data on my computer and keep it safe from deletion in some kind of ultra hidden folder, after I do a system recover.

Thank you for everything so far.

Attached Files


Edited by ShrOomiN, 13 May 2008 - 01:10 PM.


#11 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 17 May 2008 - 06:25 AM

Hello Shroomin,

I'm sorry for the delay. Did the Flash Disinfector program work at all?
For now, let's get that BSOD (Blue Screen of Death) out of the way :thumbsup:
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Then click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Then,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

now let's get a fresh version of DSS.
Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


Please remember to reply with the DSS log and include whether or not Flash Disinfector worked or not. Also, please let me know of any problems you may have encountered.
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#12 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 17 May 2008 - 11:42 PM

Nothing significant happened, I just wanted to let you know, that I did not already do a system recover. I don't know if I should now, I'll still do everything you just said too, but on Sunday, you can expect a second reply with results of from your newest advise. And by Monday, I'll know for sure If I'm just going to do a system recover, or continue with this.

Thanks for everything so far, sorry I can't get back to you just yet, but I just wanted to let you know when to expect something.

#13 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 19 May 2008 - 06:29 AM

No worries, take time to think things through :thumbsup:
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#14 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 19 May 2008 - 01:00 PM

Ok so you can permanently ignore all my babble about system recoveries, and hard-drives. And here's what's up now, I had to run your newest instructions in safe-mode, because whatever the hell is wrong with my computer now, makes booting up a complete pain in the arse. Sometimes it just freezes, like a pop-sickle. And even more unfortunately, Deckard didn't give me another extra folder. I tried recovering the extra folder with the little trick you taught me last time but it didn't do anything this time around. And as for that program Flash Disinfector I don't believe, it worked, what exactly was suppose to happen, if it was suppose to remove viewpoint it didn't cause there's still remnants of it on my drive. I would of deleted it but I don't know if it's safe to delete it or not.

So, the main.txt file of the deckard's scan is all I got, sorry, but I'm sure you know a way i can retrieve the other half.

----------------------------------------------
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-18 13:39:36
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:44 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Owner\Application Data\Deckard's System Scanner\Deckard's System Scanner.exe
C:\DOCUME~1\Owner\APPLIC~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avast!] C:\DOCUME~1\Owner\APPLIC~1\Alwil\ashDisp.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Documents and Settings\Owner\Application Data\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\Owner\Application Data\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA59FCBA-94A6-440E-8DBE-50A313104836}: NameServer = 192.168.0.1,4.2.2.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Documents and Settings\Owner\Application Data\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Documents and Settings\Owner\Application Data\Alwil\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Documents and Settings\Owner\Application Data\Sunbelt\kpf4ss.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

--
End of file - 6122 bytes

-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 11:20:13 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-05-12 23:27:19 0 drahs---- C:\autorun.inf
2008-05-06 00:08:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Deckard's System Scanner
2008-05-04 23:38:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-04 23:38:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes


-- Find3M Report ---------------------------------------------------------------

2008-05-18 13:39:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Hijack This
2008-05-18 12:06:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla Firefox
2008-05-13 00:37:29 0 d-------- C:\Program Files\Spyware Terminator
2008-05-11 09:35:20 0 d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-04-20 22:50:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-04-19 07:18:04 0 d-------- C:\Documents and Settings\Owner\Application Data\Steam
2008-04-18 13:21:51 0 d-------- C:\Documents and Settings\Owner\Application Data\PeerGuardian2
2008-04-18 12:35:55 0 d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-04-16 23:33:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Sophos Anti-Rootkit
2008-04-16 10:28:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 10:47:56 0 d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2008-04-15 10:43:07 0 d-------- C:\Documents and Settings\Owner\Application Data\XDCC Browser
2008-04-11 13:53:44 0 d-------- C:\Program Files\AIM6
2008-04-04 12:17:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Ashampoo
2008-04-04 12:16:05 0 d-------- C:\Documents and Settings\Owner\Application Data\Ashampoo Burning Studio 7
2008-04-04 12:00:22 0 d-------- C:\Program Files\Common Files\Nero
2008-04-04 11:36:15 0 d-------- C:\Program Files\NeroInstall.bak
2008-04-03 23:02:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Deluge
2008-04-03 11:50:55 0 d-------- C:\Documents and Settings\Owner\Application Data\ABC Amber LIT Converter
2008-04-02 11:53:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Alwil
2008-03-31 01:29:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-03-30 23:57:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Super DVD Creator 9.5
2008-03-10 01:59:01 2550 --a------ C:\WINDOWS\unins000.dat
2008-03-10 01:53:47 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/15/2005 01:05 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 01:47 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 01:47 PM]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [05/26/2004 09:57 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"avast!"="C:\DOCUME~1\Owner\APPLIC~1\Alwil\ashDisp.exe" [03/29/2008 02:37 PM]
"NBKeyScan"="C:\Documents and Settings\Owner\Application Data\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"WinampAgent"="C:\Documents and Settings\Owner\Application Data\Winamp\winampa.exe" [04/01/2008 02:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 PM]
"Steam"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2/22/2007 4:38:45 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
"C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- End of Deckard's System Scanner: finished at 2008-05-18 13:40:01 ------------

#15 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:10:23 PM

Posted 22 May 2008 - 03:15 AM

Hello ShrOomiN,

You're log computer seems to be clean, which indicates that your problem is not malware related. I'd just like to be sure though before redirect you to another forum where you might have more luck with some help :thumbsup:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Please then do an online scan with Kaspersky Online Virus Scanner (Use Internet Explorer as your Browser)

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Next Click on Free Virus Scanner, then Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information into your next post.
Remember to post all of the logs i requested. Also, please let me know of any problems you may have encountered.

Edited by annabackwards, 22 May 2008 - 03:16 AM.

Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users