Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible System32 Worm Or Virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 misash

misash

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 22 April 2008 - 10:39 PM

I just replaced a computer that had been infected with a worm/virus of come type. I am currently running XP Unlimited. My new computer is just the basics, nothing fast or special. I have been trying to download programs such as msn messenger and get the error message that it is not a valid win32 application. I have system mechanics 7 on my system, (put there by the man who worked on my old one and put my current system together). I have also ran Housecalls and nothing was found. I have also not been able to install several windows updates. I am not sure if I have somehow became infected again, or if it is as simple as incorrect security settings......Please read my Decker and hijack this logs and advise me what I should do.....PLEASE PLEASE....AND THANK YOU.


Deckard's System Scanner v20071014.68
Run by user on 2008-04-22 22:11:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-04-23 03:12:01 UTC - RP23 - Deckard's System Scanner Restore Point
22: 2008-04-23 02:42:47 UTC - RP22 - Software Distribution Service 3.0
21: 2008-04-23 01:00:19 UTC - RP21 - Installed Microsoft OLE DB Provider for Visual FoxPro
20: 2008-04-22 22:52:34 UTC - RP20 - Removed ABBYY FineReader 5.0 Sprint
19: 2008-04-22 21:43:52 UTC - RP19 - Removed WebFldrs XP


-- First Restore Point --
1: 2008-04-20 10:03:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:59 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Messenger\msnmsgr.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{A29F4D07-D873-4CD6-8EA0-C0F9FCD2F9B3}: NameServer = 66.209.10.201 66.102.163.231
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

--
End of file - 2544 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\Trend Micro\HijackThis\backups\) ------

backup-20080420-044547-130 O4 - HKUS\S-1-5-18\..\RunOnce: [Set] fuset.exe (User 'SYSTEM')
backup-20080420-044547-137 O4 - HKUS\S-1-5-20\..\RunOnce: [Set] fuset.exe (User 'NETWORK SERVICE')
backup-20080420-044547-179 O4 - HKLM\..\Policies\Explorer\Run: [Altap] tskstsh (filesize 45632 bytes, MD5 EBD2EA535FC47D426D0C2FC7C7293534)
backup-20080420-044547-269 O4 - HKUS\S-1-5-19\..\RunOnce: [Set] fuset.exe (User 'LOCAL SERVICE')
backup-20080420-044547-365 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (filesize 32768 bytes, MD5 8FB740D758B14B1BC950CC347C21E461)
backup-20080420-044547-468 O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
backup-20080420-044547-699 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (filesize 225280 bytes, MD5 0CBE3E4166A08FC379EABF532B4EFE18)
backup-20080420-044547-746 O4 - HKUS\.DEFAULT\..\RunOnce: [Set] fuset.exe (User 'Default user')
backup-20080420-044547-845 O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\WINDOWS\system32\jd2002.dll (filesize 143360 bytes, MD5 F154C7845151195565AABF45899DBA1B)
backup-20080420-044548-151 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208681941890
backup-20080421-214639-110 O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
backup-20080421-214639-157 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Messenger\msnmsgr.exe" /background
backup-20080421-214639-193 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = %USERNAME%
backup-20080421-214639-270 O4 - HKUS\S-1-5-21-2052111302-1035525444-1417001333-1003\..\Policies\Explorer\Run: [Altap] (User '?')
backup-20080421-214639-319 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080421-214639-335 O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
backup-20080421-214639-352 O4 - HKUS\S-1-5-21-2052111302-1035525444-1417001333-1003\..\Run: [msnmsgr] "C:\Program Files\Messenger\msnmsgr.exe" /background (User '?')
backup-20080421-214639-371 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080421-214639-413 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
backup-20080421-214639-420 O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
backup-20080421-214639-443 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe
backup-20080421-214639-460 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
backup-20080421-214639-494 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080421-214639-603 O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
backup-20080421-214639-606 O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
backup-20080421-214639-610 O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
backup-20080421-214639-627 O4 - HKUS\S-1-5-21-2052111302-1035525444-1417001333-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
backup-20080421-214639-659 O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
backup-20080421-214639-680 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080421-214639-871 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080421-214640-344 O9 - Extra 'Tools' menuitem: MSN Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe
backup-20080421-214641-441 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080421-214641-615 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208686844171
backup-20080421-221039-182 O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\WINDOWS\system32\IECatcher.DLL/FlashCatcher.htm
backup-20080421-221039-266 O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\IECatcher.DLL
backup-20080421-221039-373 O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
backup-20080421-221039-380 O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\IECatcher.DLL
backup-20080421-221039-414 O4 - HKUS\S-1-5-21-2052111302-1035525444-1417001333-1003\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan (User '?')
backup-20080421-221039-634 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080421-221039-702 O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
backup-20080421-221039-809 O4 - HKUS\S-1-5-21-2052111302-1035525444-1417001333-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
backup-20080421-221039-915 O4 - HKUS\S-1-5-21-2052111302-1035525444-1417001333-1003\..\Policies\Explorer\Run: [LongClock] (User '?')
backup-20080421-221039-948 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080421-230631-411 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080421-230631-839 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080421-230632-171 O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
backup-20080421-230632-189 O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
backup-20080421-230632-294 O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
backup-20080421-230632-446 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
backup-20080421-230632-461 O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
backup-20080421-230632-472 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
backup-20080421-230632-507 O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
backup-20080421-230632-561 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20080421-230632-745 O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\WINDOWS\system32\IECatcher.DLL/FlashCatcher.htm
backup-20080421-230632-760 O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
backup-20080421-230632-770 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Messenger\msnmsgr.exe" /background
backup-20080421-230632-793 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = %USERNAME%
backup-20080421-230632-809 O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\IECatcher.DLL
backup-20080421-230633-576 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe
backup-20080421-230633-829 O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\IECatcher.DLL
backup-20080421-230634-107 O9 - Extra 'Tools' menuitem: MSN Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe
backup-20080421-230634-524 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080422-013849-173 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
backup-20080422-013849-348 O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
backup-20080422-013849-383 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080422-013849-415 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080422-013849-446 O3 - Toolbar: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080422-013849-489 O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080422-013849-510 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080422-013849-536 R3 - URLSearchHook: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080422-013849-562 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20080422-013849-589 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
backup-20080422-013849-593 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
backup-20080422-013849-649 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
backup-20080422-013849-682 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080422-013849-778 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080422-013849-781 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Messenger\msnmsgr.exe" /background
backup-20080422-013849-799 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
backup-20080422-013850-695 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080422-013850-788 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080422-013850-986 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
backup-20080422-013851-390 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080422-013851-771 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208841853343
backup-20080422-161415-503 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
backup-20080422-161416-443 O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
backup-20080422-161417-228 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080422-161417-873 O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
backup-20080422-161418-826 O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
backup-20080422-161419-290 O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
backup-20080422-161419-681 O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
backup-20080422-161419-736 O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
backup-20080422-161419-907 O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
backup-20080422-161432-128 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208847698250
backup-20080422-161438-941 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080422-204349-448 O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
backup-20080422-204349-468 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080422-212036-136 O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
backup-20080422-212036-742 O17 - HKLM\System\CCS\Services\Tcpip\..\{A29F4D07-D873-4CD6-8EA0-C0F9FCD2F9B3}: NameServer = 66.209.10.201 66.102.163.231
backup-20080422-212659-410 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 XPacket (iolo Personal Firewall Driver) - c:\windows\system32\xpacket.sys <Not Verified; iolo technologies, LLC; iolo Firewall>
R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 SetupNT - c:\windows\system32\setupnt.sys

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 MSICPL - d:\install4\msicpl.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)
S3 Vsp - c:\windows\system32\drivers\vsp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 21:42:50 0 d-------- C:\WINDOWS\LastGood
2008-04-22 20:00:20 0 d-------- C:\Program Files\Microsoft Visual FoxPro OLE DB Provider
2008-04-22 20:00:20 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-04-22 17:53:09 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-22 16:39:07 0 dr-h----- C:\Documents and Settings\user\Recent
2008-04-22 16:18:44 0 d-------- C:\Documents and Settings\user\Application Data\SAMSUNG
2008-04-22 16:09:34 0 d-------- C:\Program Files\Lexmark X1100 Series
2008-04-22 15:45:05 0 d-------- C:\Program Files\Logitech
2008-04-22 02:32:33 0 d-------- C:\Program Files\CCleaner
2008-04-22 02:09:10 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-04-22 02:09:07 0 d-------- C:\Downloads
2008-04-22 00:23:22 0 d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-04-22 00:23:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-21 23:36:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-21 23:31:12 0 d-------- C:\Program Files\Yahoo!
2008-04-21 22:58:47 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-21 22:49:52 0 d-------- C:\WINDOWS\LastGood(2)
2008-04-21 22:00:17 0 d-------- C:\Program Files\Rootkit_Revealer_1_71
2008-04-21 21:59:34 0 d-------- C:\Program Files\Microsoft System Center Configuration Manager 2007 SDK
2008-04-21 21:59:32 0 d-------- C:\Program Files\lspfix
2008-04-21 21:59:02 0 d-------- C:\Program Files\BitComet
2008-04-20 05:08:14 1835008 --a------ C:\Documents and Settings\user\ntuser.dat
2008-04-20 04:51:53 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-20 04:32:57 0 d-------- C:\Program Files\Trend Micro
2008-04-20 04:08:42 174592 --a------ C:\WINDOWS\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-20 04:08:02 0 d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-04-20 04:07:38 5632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-04-20 03:37:30 0 d-------- C:\Program Files\Microsoft Works
2008-04-20 03:36:53 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-20 03:36:19 0 d-------- C:\Program Files\Microsoft.NET
2008-04-20 03:33:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-20 03:33:20 0 dr-h----- C:\MSOCache
2008-04-19 22:23:52 0 d-------- C:\Documents and Settings\user\Application Data\WinWay
2008-04-19 22:22:39 0 d-------- C:\Program Files\WinWay Resume
2008-04-19 20:31:03 0 d-------- C:\Program Files\MUSICMATCH
2008-04-19 19:34:54 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-19 19:33:26 0 d-------- C:\WINDOWS\RegisteredPackages
2008-04-19 19:05:54 0 d-------- C:\Program Files\Samsung
2008-04-19 18:32:50 0 d-------- C:\WINDOWS\pss
2008-04-19 18:26:57 0 d-------- C:\WINDOWS\network diagnostic
2008-04-03 18:20:33 0 d-------- C:\Documents and Settings\user\Application Data\CyberLink
2008-04-03 18:20:26 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-03 18:04:02 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-03 17:06:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-03 17:06:08 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-03 17:06:06 0 d--h----- C:\WINDOWS\$hf_mig$


-- Find3M Report ---------------------------------------------------------------

2008-04-22 20:00:20 0 d-------- C:\Program Files\Common Files
2008-04-22 18:13:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-20 04:27:09 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2008-04-20 00:52:34 0 d-------- C:\Documents and Settings\user\Application Data\iolo
2008-04-20 00:52:08 0 d-------- C:\Program Files\Messenger
2008-03-13 11:08:46 38912 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-03-13 10:25:46 32768 --a------ C:\WINDOWS\system32\iolobtdfg.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iolo AntiVirus"="C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe" [03/05/2008 12:48 PM]
"iolo Personal Firewall"="C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe" [03/05/2008 01:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [04/20/2008 04:32 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/31/2005 07:00 PM]
"msnmsgr"="C:\Program Files\Messenger\msnmsgr.exe" [08/13/2005 02:44 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"NoRecentDocsHistory"=00000000
"MaxRecentDocs"=10 (0xa)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Altap"=0 (0x0)
"LongClock"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=C:\WINDOWS\pss\AudioDeck.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=2 (0x2)
"dvpapi"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"LexBceS"=2 (0x2)
"InCDsrv"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-04-22 22:14:34 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Duron™ processor
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 479.49 MiB / 121.34 MiB
Pagefile Memory (total/avail): 1122.14 MiB / 732.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.81 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 63.34 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-55JKA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: iolo Personal Firewall® v1.5 (iolo technologies, LLC)
AV: iolo AntiVirus® v1.5 (iolo technologies, LLC)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe:*:Enabled:iolo Firewall®"
"C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe:*:Enabled:iolo AntiVirus®"
"C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe:*:Enabled:iolo AntiVirus® Email Protection"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Disabled:backWeb-8876480"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-5FD11D1A13
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\HOME-5FD11D1A13
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\Local Settings\Temp
TMP=C:\DOCUME~1\user\Local Settings\Temp
USERDOMAIN=HOME-5FD11D1A13
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type499 / Error
Event Submitted/Written: 04/22/2008 09:10:35 PM
Event ID/Source: 5000 / .NET Runtime 2.0 Error Reporting
Event Description:
EventType clr20r3, P1 dfsvc.exe, P2 2.0.50727.42, P3 4333af20, P4 mscorlib, P5 2.0.0.0, P6 471ebc5b, P7 1b08, P8 10, P9 clr20r30, P10 clr20r31.

Event Record #/Type493 / Warning
Event Submitted/Written: 04/22/2008 08:45:21 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}', feature 'AV_SCANENGINE' failed during request for component '{C5DCA2B7-F0A1-4941-BF08-BA5F6DD385D0}'

Event Record #/Type492 / Warning
Event Submitted/Written: 04/22/2008 08:45:21 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}', feature 'AV_SCANENGINE', component '{1B360433-410C-45ED-8BE3-43D11D782F5B}' failed. The resource 'C:\Program Files\Common Files\Authentium\AntiVirus\csav.exe' does not exist.

Event Record #/Type488 / Warning
Event Submitted/Written: 04/22/2008 08:10:01 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}', feature 'AV_SCANENGINE' failed during request for component '{C5DCA2B7-F0A1-4941-BF08-BA5F6DD385D0}'

Event Record #/Type487 / Warning
Event Submitted/Written: 04/22/2008 08:10:01 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}', feature 'AV_SCANENGINE', component '{1B360433-410C-45ED-8BE3-43D11D782F5B}' failed. The resource 'C:\Program Files\Common Files\Authentium\AntiVirus\csav.exe' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1668 / Error
Event Submitted/Written: 04/22/2008 09:49:05 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FB7199AB-79BF-11D2-8D94-0000F875C541} did not register with DCOM within the required timeout.

Event Record #/Type1649 / Error
Event Submitted/Written: 04/22/2008 09:23:57 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Print Spooler service depends on the LexBce Server service which failed to start because of the following error:
%%1058

Event Record #/Type1610 / Error
Event Submitted/Written: 04/22/2008 08:41:49 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Print Spooler service depends on the LexBce Server service which failed to start because of the following error:
%%1058

Event Record #/Type1603 / Warning
Event Submitted/Written: 04/22/2008 08:40:05 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by winlogon.exe.

Event Record #/Type1597 / Error
Event Submitted/Written: 04/22/2008 07:31:48 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FB7199AB-79BF-11D2-8D94-0000F875C541} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-04-22 22:14:34 ------------

BC AdBot (Login to Remove)

 


m

#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 PM

Posted 11 May 2008 - 10:11 AM

Hello misash :thumbsup:


I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.


thewall




I will need an updated Deckards log because some things may have changed since your first post. Also will need the following:


Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information along with the Deckard's scan in your next post.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 misash

misash
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 14 May 2008 - 11:30 PM

Sorry for my delay as well. Well that computer was returned. It was still under the 30 days so it was returned, however I am still having the same issues with the new one. I am about at my witts end. I even boot and nuked it last night and reloaded the os and the same things are happening. So for starters here is my hijack this log.....there really is not much else I can do at this point. I am wondering how I am online now.....Your help is greatly appreciated. I included the uninstall list as well due to the fact there are programs in it that do not show up in my control panel. Thanks again!!

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 PM

Posted 15 May 2008 - 04:06 PM

misash,

I need you to follow the instructions below and download Deckards System Scanner, then post the logs it makes. When you do so please post it like you did the first time and not as an attachment because it makes it a little easier to research that way. I would also ask that you make no changes or delete any entries in the HJT log while we are working on the problem. It is necessary we know everything that is happening when we work with a system due to the nature of the fixes.






Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.






Thanks, :thumbsup:



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 misash

misash
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 22 May 2008 - 12:33 PM

Hi there,

Sorry for the delay again. I was not able to get online. I am away from my computer for the next few days, I will fun the scan and post asap. I will be sometime Monday evening. Thank you for you patience and time with this.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 PM

Posted 23 May 2008 - 06:57 PM

OK, I'll wait on it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:07:29 PM

Posted 30 May 2008 - 12:34 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users