Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware / Adware Takes Over Ie Sessions


  • This topic is locked This topic is locked
2 replies to this topic

#1 AbbotM

AbbotM

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 27 April 2008 - 06:27 PM

Some malware program takes over my browser and automatically navigates to sites like Horny Matches or Online University. IE then slows down, and I can't navigate to any other site. This problem makes it almost impossible to get to YOUR site, to post the problem. I fianlly managed it by doing most of the downloads, etc. on a laptop, and copying the files around on a USB key. The CA eTrust antivirus program I use doesn't seem able to find or neutralize this thing at all.

DSS only produced one file (Main.TXT). I couldn't get the Kapersky online scan to work on the infected computer, because the malware prevents it from running.

The DSS Main.TXT file is inline below.

Thanks for your help.

Deckard's System Scanner v20071014.68
Run by AbbotM on 2008-04-27 16:12:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AbbotM.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:55 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Svconr\Svconr.exe
D:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
O:\Downloads\winzip\WZQKPICK.EXE
C:\Program Files\IT Connection Manager\SRUserService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\AbbotM\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AbbotM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itgproxy:80
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX595 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU "C:\WINDOWS\TEMP\E_S181.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\realmon.exe -s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = O:\Downloads\winzip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://fasthelp.dns.microsoft.com/sdccommo...oad/tgctlsi.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - https://1oak-dc01/connectcomputer/nshelp.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173715256962
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138334660437
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://1oak.us/Remote/msrdp.cab
O16 - DPF: {A3655053-996D-11D0-906E-00C04FD70320} (ExpClient Class) - http://msexpense/msxpclnt.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 1OAK.local
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (inorpc) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (inort) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (inotask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - D:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - D:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12561 bytes

-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 15:55:09 0 d-------- C:\cmdcons
2008-04-27 15:53:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-27 15:53:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-27 15:53:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-27 15:53:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-27 15:53:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-27 15:53:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-27 15:53:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-27 15:53:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 13:22:08 0 d-------- C:\Program Files\CA
2008-04-27 13:18:22 0 d-------- C:\Program Files\Microsoft Forefront
2008-04-27 11:24:38 0 d-------- C:\Program Files\Trend Micro
2008-04-26 17:43:09 0 d--hs---- C:\found.000
2008-04-26 17:38:46 56320 --a------ C:\WINDOWS\system32\delttray.exe <Not Verified; Doug Fetter Software Wizardry; M Audio Delta Control Panel Interface System Tray Applet>
2008-04-26 17:38:45 2405806 --a------ C:\WINDOWS\system32\pcifmdio.dll <Not Verified; Digidesign; Digidesign PCI Support Library>
2008-04-26 17:38:45 292992 --a------ C:\WINDOWS\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
2008-04-26 17:38:45 20480 --a------ C:\WINDOWS\system32\deltasio.dll <Not Verified; Midiman/M-Audio; M-Audio Delta ASIO Support Library>
2008-04-26 17:38:45 1122304 --a------ C:\WINDOWS\system32\deltapnl.exe <Not Verified; M-Audio; M-Audio Delta Control Panel Application>
2008-04-26 17:38:45 44032 --a------ C:\WINDOWS\system32\deltapnl.dll <Not Verified; M-Audio; M-Audio Delta Control Panel Interface>
2008-04-26 17:38:45 0 d-------- C:\Program Files\M-Audio
2008-04-26 17:26:56 0 d-------- C:\Program Files\Windows Home Server
2008-04-25 10:26:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-24 17:23:04 0 d-------- C:\Program Files\Inet_Get_2
2008-04-24 17:02:50 0 d-------- C:\Program Files\Svconr
2008-04-24 14:44:20 73728 --a------ C:\WINDOWS\b156.exe
2008-04-23 20:31:38 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-23 17:07:14 28672 --a------ C:\WINDOWS\system32\winpdc32.dll
2008-04-23 17:06:45 61874 --a------ C:\WINDOWS\ydhqzop.sys
2008-04-23 17:06:41 65536 --a------ C:\lssxyqr.exe
2008-04-23 16:50:20 37376 --a------ C:\WINDOWS\17PHolmes1535.exe
2008-04-23 16:33:24 37376 --a------ C:\WINDOWS\mrofinu1535.exe
2008-04-23 12:46:26 0 d-------- C:\epson
2008-04-22 01:39:09 0 d-------- C:\Windows Home Server Drivers for Restore
2008-04-20 21:19:22 0 d-------- C:\Documents and Settings\AbbotM\Application Data\Windows Home Server
2008-04-17 11:49:38 273408 --a------ C:\WINDOWS\b148.exe
2008-04-15 22:07:20 0 d-------- C:\Program Files\Common Files\Brother
2008-04-11 07:48:26 11264 --a------ C:\WINDOWS\b138.exe
2008-04-08 16:33:56 68096 --a------ C:\WINDOWS\b155.exe
2008-04-01 21:18:00 0 d-------- C:\Program Files\Common Files\xing shared


-- Find3M Report ---------------------------------------------------------------

2008-04-24 21:07:48 0 d-------- C:\Documents and Settings\AbbotM\Application Data\Intuit
2008-04-24 17:23:16 10 --a------ C:\Program Files\.autoreg
2008-04-23 21:10:24 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-23 20:06:28 0 d-------- C:\Documents and Settings\AbbotM\Application Data\AdobeUM
2008-04-23 13:06:59 0 d-------- C:\Program Files\Online Services
2008-04-23 11:53:55 0 d-------- C:\Program Files\IT Connection Manager
2008-04-20 21:16:00 0 d-------- C:\Program Files\Common Files
2008-04-20 21:16:00 0 d-------- C:\Documents and Settings\AbbotM\Application Data\Netscape
2008-04-20 13:53:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 22:08:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-01 21:17:57 0 d-------- C:\Program Files\Real
2008-04-01 21:17:51 0 d-------- C:\Program Files\Common Files\Real
2008-03-04 12:32:27 105984 --a------ C:\WINDOWS\b152.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 08:06 AM C:\WINDOWS\system32\ptipbmf.dll]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/27/2002 09:47 AM]
"nwiz"="nwiz.exe" [08/27/2002 09:47 AM C:\WINDOWS\system32\nwiz.exe]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [08/30/2003 12:35 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/08/2005 09:05 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/12/2006 08:37 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/13/2004 03:30 PM]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [09/09/2005 08:09 PM]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [11/22/2005 10:34 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [03/23/2005 04:26 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 03:12 AM]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [05/22/2006 01:26 PM]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [08/26/2004 11:43 PM]
"DeltTray"="DeltTray.exe" [08/26/2004 11:43 PM C:\WINDOWS\system32\delttray.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="" []
"NvMediaCenter"="NvMCTray.dll,NvTaskbarInit" []
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [05/12/2005 12:40 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"FolderShare"="C:\Program Files\FolderShare\FolderShare.exe" [10/30/2005 10:12 PM]
"EPSON Stylus Photo RX595 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.exe" [03/30/2007 06:00 AM]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [04/24/2008 05:02 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Realtime Monitor"=C:\Program Files\CA\eTrust Antivirus\realmon.exe -s

C:\Documents and Settings\AbbotM\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/16/2005 9:39:51 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [11/11/2006 9:47:59 PM]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [12/29/2006 5:51:46 PM]
Microsoft Office OneNote 2003 Quick Launch.lnk - D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [11/11/2006 9:46:32 PM]
NkvMon.exe.lnk - D:\Program Files\Nikon\NkView6\NkvMon.exe [11/11/2006 9:46:11 PM]
Windows Home Server.lnk - C:\WINDOWS\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [4/26/2008 5:27:01 PM]
WinZip Quick Pick.lnk - O:\Downloads\winzip\WZQKPICK.EXE [7/10/2007 4:31:49 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [04/28/2005 11:22 PM 622592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
winrkp32.dll




-- End of Deckard's System Scanner: finished at 2008-04-27 16:13:15 ------------

BC AdBot (Login to Remove)

 


m

#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:59 AM

Posted 13 May 2008 - 12:07 PM

Hello AbbotM

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to. If you have not resolved this issue and still need assistance, post a new HJT log as your system may have changed since your original post.


Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:59 AM

Posted 31 May 2008 - 09:54 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users